Multiple vulnerabilities in curl library

Advisory ID	CVE Number	Date discovered	Severity	Advisory revision
STORM-2019-002	CVE-2015-3236 , CVE-2015-3237 , CVE-2016-8616 , CVE-2016-9594 , CVE-2017-2629 , CVE-2016-5419 , CVE-2016-5420 , CVE-2017-7468 , CVE-2016-8618 , CVE-2016-8619 , CVE-2016-9586 , CVE-2017-8816 , CVE-2017-8817 , CVE-2017-8818 , CVE-2017-1000101 , CVE-2018-16839 , CVE-2018-16842 , CVE-2018-1000120 , CVE-2018-1000121 , CVE-2018-1000122 , CVE-2018-1000300 , CVE-2016-7167 , CVE-2016-8622 , CVE-2017-1000254 , CVE-2018-16890 , CVE-2019-3822 , CVE-2016-0755 , CVE-2016-8615 , CVE-2016-8624 , CVE-2016-8625 , CVE-2016-5421 , CVE-2017-1000100	04/12/2019	medium	v2

Vulnerability details

Multiple vulnerabilities in cURL library can lead to denial of service, arbitrary code execution or traffic inteception.

Products	Severity	Detail
Stormshield Network Security	medium	The SNS products embed a vulnerable version of the cURL library.

Version	Date	Description
v1		Initial release
v2	08/27/2019	Add FAST360 status

Several vulnerabilities in cURL libraries allows:

-Arbitrary code execution, or

-Traffic interception, leading to update a SNS firewall with a rogue firmware

Workaround solution	Solution
There is no workaround solution.	The 3.7.4, 3.8.1 and 2.14 update fix this vulnerability.

Access vector	Access complexity	Authentication	Confidentiality impact	Integrity impact	Availability impact
Network	High	None	Complete	Complete	Complete

CVSS Base score: 7.6	CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)

Exploitability	Remediation Level	Report Confidence
Unproven that exploit exists	Official fix	Confirmed

CVSS Temporal score: 5.6	CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)

Collateral Damage Potential	Target Distribution
None	High [76-100%]

CVSS Environmental score: 5.6	CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C/CDP:N/TD:H/CR:ND/IR:ND/AR:ND)