cURL vulnerability

I guess I have to answer my own question since noone else is going to:

These CVEs reference vulnerabilities affecting curl and libcurl, a command line tool and development library used to transfer files to and from servers using various network protocols. One Identity Manager does not utilize or contain these packages.

However, since this is an on-prem solution, many common operating systems come pre-installed with curl and libcurl packages. There is a very good possibility that the underlying infrastructure running the customer’s IGA solution could contain the affected software. This can be identified by any number of vulnerability management tools or manually identified by attempting to run the following command at a command prompt: curl --version

If the package is installed and returns a version between 7.69.0 and 8.3.0, an updated version of curl is recommended.
If the operating system is linux-based, the customer can update the packages using an existing linux package manager. If the operating system is Microsoft Windows, then a monthly cumulative update will be provided by Microsoft. It is not recommended to update curl manually on Windows.

Hi Henrik, Identity Manager does not deploy cURL on its own. Identity Manage does make cURL calls in a few places, but cURL is expected to be provided by the underlying operating system and must be updated there as soon as possible.

Regards

Hanno