CVE-2021-22901
📋 TL;DR
CVE-2021-22901 is a use-after-free vulnerability in curl/libcurl that allows a malicious TLS 1.3 server to potentially execute arbitrary code on the client. This affects curl clients using OpenSSL with TLS 1.3 session tickets when reusing connections. Any application using vulnerable curl/libcurl versions to connect to untrusted servers is at risk.
💻 Affected Systems
- curl
- libcurl
- any software using libcurl
📦 What is this software?
Communications Cloud Native Core Binding Support Function by Oracle
View all CVEs affecting Communications Cloud Native Core Binding Support Function →
Communications Cloud Native Core Network Function Cloud Native Environment by Oracle
View all CVEs affecting Communications Cloud Native Core Network Function Cloud Native Environment →
Communications Cloud Native Core Network Repository Function by Oracle
View all CVEs affecting Communications Cloud Native Core Network Repository Function →
Communications Cloud Native Core Network Repository Function by Oracle
View all CVEs affecting Communications Cloud Native Core Network Repository Function →
Communications Cloud Native Core Network Slice Selection Function by Oracle
View all CVEs affecting Communications Cloud Native Core Network Slice Selection Function →
Communications Cloud Native Core Service Communication Proxy by Oracle
View all CVEs affecting Communications Cloud Native Core Service Communication Proxy →
Curl by Haxx
curl is a command-line tool and library for transferring data with URLs. It supports numerous protocols including HTTP, HTTPS, FTP, and more, making it essential for API testing, web scraping, and automated data transfers.
Learn more about Curl →Essbase by Oracle
Essbase by Oracle
Sinec Infrastructure Network Services by Siemens
View all CVEs affecting Sinec Infrastructure Network Services →
Solidfire \& Hci Management Node by Netapp
Solidfire Baseboard Management Controller Firmware by Netapp
View all CVEs affecting Solidfire Baseboard Management Controller Firmware →
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution on the client system, allowing full compromise of the affected machine.
Likely Case
Application crash or denial of service due to memory corruption, with RCE being difficult but theoretically possible.
If Mitigated
No impact if patched or if connections are limited to trusted servers only.
🎯 Exploit Status
Exploitation requires precise timing and memory manipulation. The HackerOne report demonstrates the vulnerability but achieving reliable RCE is challenging.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: curl 7.77.0 and later
Vendor Advisory: https://curl.se/docs/CVE-2021-22901.html
Restart Required: Yes
Instructions:
1. Update curl to version 7.77.0 or later. 2. For Linux: Use package manager (apt-get update && apt-get upgrade curl, yum update curl, etc.). 3. For Windows: Download latest from curl.se. 4. Rebuild any applications using libcurl with updated version. 5. Restart affected services.
🔧 Temporary Workarounds
Disable TLS 1.3 session tickets
allPrevent the vulnerable code path by disabling TLS 1.3 session tickets in curl
curl --tls13-ciphers TLS_AES_256_GCM_SHA384 --tls-max 1.3 -k https://example.com
Disable connection reuse
allPrevent the use-after-free by avoiding connection reuse
curl --http1.0 https://example.com
curl --no-keepalive https://example.com
🧯 If You Can't Patch
- Restrict curl usage to trusted servers only
- Implement network segmentation to limit curl's access to internal networks only
🔍 How to Verify
Check if Vulnerable:
Check curl version: curl --version. If version is between 7.75.0 and 7.76.1 inclusive, and built with OpenSSL, it's vulnerable.Check Version:
curl --version | head -1Verify Fix Applied:
Verify curl version is 7.77.0 or later: curl --version | head -1📡 Detection & Monitoring
Log Indicators:
- Application crashes with memory corruption errors
- Unexpected curl process termination
Network Indicators:
- TLS 1.3 connections to unusual servers followed by crashes
- Multiple failed connections from same client
SIEM Query:
source="*curl*" AND (event_type="crash" OR error="segmentation fault" OR error="use-after-free")🔗 References
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-732250.pdf
- https://curl.se/docs/CVE-2021-22901.html
- https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479
- https://hackerone.com/reports/1180380
- https://security.netapp.com/advisory/ntap-20210723-0001/
- https://security.netapp.com/advisory/ntap-20210727-0007/
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-732250.pdf
- https://curl.se/docs/CVE-2021-22901.html
- https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479
- https://hackerone.com/reports/1180380
- https://security.netapp.com/advisory/ntap-20210723-0001/
- https://security.netapp.com/advisory/ntap-20210727-0007/
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
