Urgent: Canonical releases USN-8062-2, a critical security update for cURL addressing 9+ high-impact vulnerabilities (CVEs) in Ubuntu 14.04-20.04 LTS. This patch mitigates risks including credential leakage via Oauth2 redirects, TLS verification bypass, and proxy cache poisoning. Learn how these exploits affect your EOL (End-of-Life) systems and the exact commands to secure your infrastructure with Ubuntu Pro's extended security maintenance (ESM).
If you are managing legacy Ubuntu infrastructure, your organization's data plane may be exposed. On March 3, 2026, Canonical released USN-8062-2, a pivotal security patch extending critical fixes for the cURL data transfer library to Ubuntu 14.04 LTS, 16.04 LTS, 18.04 LTS, and 20.04 LTS.
This is not a routine update. It addresses attack vectors that could allow malicious actors to compromise encrypted communications, steal authentication tokens, and bypass security policies.
For enterprises relying on these Long-Term Support (LTS) releases, immediate action is required to maintain security posture and compliance.
The Core Threat: Why This cURL Update is Non-Negotiable
cURL is the silent workhorse of modern digital infrastructure. It powers everything from API calls in your backend scripts to package managers like apt. A vulnerability in cURL is a vulnerability in the fabric of your system's communication.
This update (USN-8062-2) backports fixes for three high-severity CVEs initially released in USN-8062-1, specifically targeting systems in Extended Security Maintenance (ESM). Ignoring this patch exposes your estate to significant operational risk.
Deep Dive: The Vulnerabilities Affecting Your Ubuntu LTS Systems
The update addresses specific, dangerous flaws in how cURL handles secure connections and authentication. Here is a technical breakdown of the CVEs now patched for Ubuntu 14.04, 16.04, 18.04, and 20.04:
1. TLS Certificate Validation Bypass (CVE-2025-14819)
Risk: A flaw in connection reuse logic could allow a remote attacker to bypass TLS certificate verification. This undermines the entire trust model of HTTPS, making machine-in-the-middle (MITM) attacks trivial.
Impacted Systems: This specific issue impacts Ubuntu 24.04 and 25.10, but the architecture of the fix is part of the broader update.
2. SSH Host Key Spoofing (CVE-2025-15079)
Mechanism: Discovered by Harry Sintonen, this vulnerability lies in how cURL validates SSH host keys during SFTP/SCP transfers. Attackers could present a fraudulent key, bypassing your custom
known_hostsfile and leading to unauthorized access.
Impact: Total loss of SSH session integrity for automated file transfers.
3. Oauth2 Bearer Token Leakage on Redirect (CVE-2025-14524)
Mechanism: When following HTTP redirects, cURL could inadvertently expose Oauth2 bearer tokens to third-party servers.
Business Impact: For organizations using Oauth2 for service-to-service authentication, this could lead to account takeover and lateral movement by attackers.
4. LDAP over TLS (LDAPS) Certificate Check Failure (CVE-2025-14017)
Context: In multi-threaded environments, TLS options for LDAP transfers could be mismanaged, silently disabling certificate verification.
Result: Authentication credentials sent to directory services could be intercepted.
5. Unexpected Authentication via libssh (CVE-2025-15224)
Technical Detail: Another finding by Harry Sintonen, this issue affects cURL builds using libssh. It could trigger unintended authentication attempts, potentially exposing credentials to rogue servers.
A Legacy of Risk: Why This Update Targets Older Stacks
It is critical to note that these vulnerabilities are now being patched in Ubuntu 14.04 and 16.04 because those systems have entered the ESM phase of their lifecycle. Standard apt update will not protect you unless you have an Ubuntu Pro subscription.
Attackers specifically target legacy systems because they are a treasure trove of unpatched vulnerabilities. This update underscores the necessity of maintaining security coverage for your entire infrastructure, not just your current OS versions.
Actionable Guide: How to Remediate These cURL Vulnerabilities
Mitigating these risks requires a two-step process: ensuring you have access to the ESM repository and then applying the update.
Step 1: Verify Ubuntu Pro Access
For most users, an Ubuntu Pro token is required. It is free for personal use on up to five machines.# Check if Ubuntu Pro is attached pro status # Attach a token (replace with your token) sudo pro attach [YOUR_TOKEN]
Step 2: Update the cURL Packages
Once ESM is enabled, perform a standard system update to pull in the patched versions.sudo apt update sudo apt upgrade curl libcurl4 libcurl3
Verification: Confirm the update was successful by checking the installed version against the table below.
curl --version
Package Versions: Confirming Your Patch Status
Refer to the following table to ensure your systems are running the secure, updated versions:
| Ubuntu Release | Required Package Version |
|---|---|
| 20.04 LTS (Focal) | curl: 7.68.0-1ubuntu2.25+esm2 |
| libcurl4: 7.68.0-1ubuntu2.25+esm2 | |
| 18.04 LTS (Bionic) | curl: 7.58.0-2ubuntu3.24+esm7 |
| libcurl4: 7.58.0-2ubuntu3.24+esm7 | |
| 16.04 LTS (Xenial) | curl: 7.47.0-1ubuntu2.19+esm15 |
| libcurl3: 7.47.0-1ubuntu2.19+esm15 | |
| 14.04 LTS (Trusty) | curl: 7.35.0-1ubuntu2.20+esm19 |
| libcurl3: 7.35.0-1ubuntu2.20+esm19 |
Frequently Asked Questions (FAQ)
Q: What is ESM and why do I need it?
A: Extended Security Maintenance (ESM) provides critical security patches for Ubuntu LTS releases after the standard five-year maintenance period ends. It is available via an Ubuntu Pro subscription.Q: Are my systems automatically protected?
A: No. If you are running an ESM release (14.04, 16.04, 18.04), you must have Ubuntu Pro enabled and then manually update the packages.Q: What is the difference between libcurl3 and libcurl4?
A: These are different major versions of the cURL library. Ubuntu 16.04 and 14.04 use libcurl3, while newer versions use libcurl4. The update provides the corrected version for your specific release.Q: Could these vulnerabilities lead to a data breach?
A: Yes. Exploits like CVE-2025-14524 (Oauth2 token leakage) and CVE-2025-14819 (TLS bypass) directly facilitate credential theft and man-in-the-middle attacks, which are common precursors to data breaches.Conclusion: Securing Your Data Transfer Layer
The cURL library is fundamental to the secure operation of your Ubuntu servers. USN-8062-2 addresses critical weaknesses that could undermine encryption and authentication.
By understanding the specific risks—from SSH key bypass to Oauth2 leakage—and applying the updates via Ubuntu Pro, you close significant security gaps in your legacy infrastructure.
Next Steps:
Audit your infrastructure for systems running Ubuntu 14.04-20.04.
Enable Ubuntu Pro on those systems immediately.
Execute the update commands provided above.
Subscribe to the Ubuntu security announcements feed to stay ahead of emerging threats.
Nenhum comentário:
Postar um comentário