libcurl did not check the server certificate of TLS connections done to a host specified as an IP address, when built to use mbedTLS. libcurl would wrongly avoid using the set hostname function when the specified hostname was given as an IP address, therefore completely skipping the certificate check. This affects all uses of TLS protocols (HTTPS, FTPS, IMAPS, POPS3, SMTPS, etc). Since the SNI field is not set when using a hostname set as an IP address, many requests will fail to communicate with the correct endpoint or get the correct data. Somewhat lessening the possible impact. Not all versions of mbedTLS supports server certificate checks for IP addresses, so when this issue is fixed all attempts to connect directly to an IP address over TLS might fail. This vulnerability is similar to a past curl vulnerability identified as CVE-2016-3739. This flaw also affects the curl command line tool. Reference: https://curl.se/docs/CVE-2024-2466.html Upstream patch: https://github.com/curl/curl/commit/3d0fd382a29b95561b90b7ea3e7e
We do not build (lib)curl with mbedTLS support, so the reported security issue does not apply.
This issue has been addressed in the following products: Red Hat JBoss Core Services Via RHSA-2024:2694 https://access.redhat.com/errata/RHSA-2024:2694
This issue has been addressed in the following products: JBoss Core Services on RHEL 7 JBoss Core Services for RHEL 8 Via RHSA-2024:2693 https://access.redhat.com/errata/RHSA-2024:2693