4 votos

Hello,
My security team removed libcurl.so.4 that came with my MATLAB installation of R2022a. This is due to vulnerability cve-2023-38545. I did a softlink to the patched version - libcurl.so.4.8.4, but MATLAB crashes. Is there any workaround, or will there be any response from MATLAB? I have an open case to MATLAB currently, but haven't received any useful update. Also, this affects R2023b as well.

Iniciar sesión para responder a esta pregunta.

 Respuesta aceptada

MathWorks Support Team
MathWorks Support Team el 21 de Mzo. de 2024

0 votos

One of the prerequisites for this CVE (CVE-2023-38545) to be exploited is the use of SOCKS5 proxies in host resolver mode. This would only be applicable if users explicitly configure MATLAB to use a proxy with "socks5h://" scheme (through proxy environment variables, Preferences, or the HttpOptions API).
Additionally, we implemented the use of ‘libcurl’ 8.4.0 in R2023b Update 4 and would suggest an upgrade to at least R2023b Update 4 version for resolving this CVE (if you use “sock5h” in your workflows) with older ‘libcurl’ versions.
The ‘libcurlis linked to the OpenSSL shipping with MATLAB at build time, and we've updated from OpenSSL 2 to OpenSSL 3 in R2023b which is a non-backwards compatible change. ‘libcurl’ will look for symbols in the OpenSSL that don't exist in older MATLABs. Dropping in the R2023b OpenSSL version into older releases is not an option, as it will break all libraries that use it.
Only the officially shipped 3rd party libraries are tested with MATLAB, and linking to any other 3rd party libraries may have potential downsides since MATLAB has not been tested with any other versions of those libraries. This is especially true for curl, which has extensive build time configuration options that we make use of.

Más respuestas (1)

Maneet Kaur Bagga
Maneet Kaur Bagga el 15 de Nov. de 2023

1 voto

Hi Michael,
Curl has been upgraded to 8.4.0 in R2023b Upgrade 4, which resolves the issue.
Hope this helps!

4 comentarios
Mostrar 2 comentarios más antiguos Ocultar 2 comentarios más antiguos

Vincent Sherart
Vincent Sherart el 1 de Feb. de 2024
Folks, Curl needs to be patched on previous versions back to 2021a, or my org will need to force everybody to upgrade to R2023b Upgrade 4. Angry users with pitchforks and torches will be at my office door when I announce that little requirement.
Vincent Sherart
Joseph Macon
Joseph Macon el 9 de Feb. de 2024
Could MathWorks please answer this question? It's February 2024. Matlab 2022b is less than two years old. Update 8 shipped last week. Will MathWorks provide an update for earlier versions of Matlab to patch the libcurl vulnerability? Does MathWorks deem certain versions of Matlab secure despite the CVE? Upgrading to Matlab 2023b is not a viable solution for everybody. When vulnerabilities are discovered in 2023b, will the only solution be to upgrade to 2024a/b?
David Ritz
David Ritz el 16 de Mzo. de 2024
Editada: David Ritz el 16 de Mzo. de 2024
I agree that MathWorks should release udates to older MATLAB versions to fix this, but my workaround for R2021a, if it helps anyone: I edited matlabrc.m to allow Matlab to find and use the libcurl library installed with the OS. I added this before the 'Clean up workspace' line:
echo off
path1 = getenv('LD_LIBRARY_PATH');
path = ['/lib64' ':' path1];
setenv('LD_LIBRARY_PATH', path);
I was then able to delete the libcurl version packaged with MATLAB, curl still worked within MATLAB, and we achieved a clean vulnerability scan. The specifics, of course, may differ depending on your OS/distribution.
MathWorks Support Team
MathWorks Support Team el 21 de Mzo. de 2024
Only the officially shipped 3rd party libraries are tested with MATLAB, and linking to any other 3rd party libraries may have potential downsides since MATLAB has not been tested with any other versions of those libraries. This is especially true for curl, which has extensive build time configuration options that we make use of.
Please refer to the newly accepted answer on this post for more information.

Iniciar sesión para comentar.

Categorías

Más información sobre BeagleBone Black en Centro de ayuda y File Exchange.

Etiquetas

Community Treasure Hunt

Find the treasures in MATLAB Central and discover how the community can help you!

Start Hunting!

Translated by