Possible Solutions to a curl Vulnerability (CVE-2023-38545) in ENVI 5.6/5.7 & IDL 8.8/8.9
NOTE: This vulnerability only affects ENVI 5.6.0-5.7.0 and IDL 8.8.0-8.9.0.
Background Information:
A security vulnerability was discovered in the libcurl library which may cause your ENVI or IDL installation to get flagged as a security risk. This is a problem with the third-party libcurl library, not specifically with the ENVI or IDL applications.
You can read more about this specific vulnerability here: CVE-2023-38545
It should be noted that this is a fairly obscure security flaw and it would be near-impossible for a user of ENVI/IDL to actually encounter the security risk. However, if your IT policies require a remedy for this, we describe several possible solutions and work-arounds below.
Solution:
UPGRADE YOUR ENVI/IDL VERSION (HIGHLY RECOMMENDED):
Upgrading to ENVI 6.0+ or IDL 9.0+ versions will completely resolve the problem as they contain a patched version of libcurl not impacted by this specific security vulnerability.
Other Possible Work-Arounds:
DELETE THE LIBCURL FILE(S) (IDL USERS ONLY):
Note that this option is exclusively available for IDL-only installations. ENVI requires libcurl for much of its functionality so ENVI users cannot simply delete the offending libcurl file(s).
If you are not able to upgrade to a newer IDL version, which is recommended, and you aren't using NetCDF or IDLnetURL functionality in your workflows, then you can safely delete the libcurl file from within the IDL bin directory. For example, you can delete the following file, platform-dependent:
Windows: C:\Program Files\Harris\IDL89\bin\bin.x86_64\libcurl.dll
Linux: /usr/local/harris/idl89/bin/bin.linux.x86_64/libcurl.so
MacOS: /Applications/harris/idl89/bin/bin.darwin.x86_64/libcurl.4.8.0.dylib
Depending on your exact version of IDL, there may also be a secondary libcurl file in your installation that is used for licensing purposes (activation/deactivation/connection to a license server). This would need to be deleted as well to mitigate the risk. While not fully tested, your licensing should continue to work after deleting this file. However, you may lose the ability to activate/deactivate licenses from your computer:
Windows: C:\Program Files\Harris\IDL89\license_utils\bin.x86_64\libcurl.dll
Linux: /usr/local/harris/idl89/license_utils/bin.linux.x86_64/libcurl.so
MacOS: /Applications/harris/idl89/license_utils/bin.darwin.x86_64/libcurl.4.8.0.dylib
SWAP IN AN "UNAFFECTED" LIBCURL LIBRARY:
If you are an ENVI user, or if you are using one of IDL features that require libcurl, you can swap in a version of libcurl that is not affected by this security flaw (e.g. libcurl < 7.69.0 or >= 8.4.0). You can either copy in one of these "unaffected" versions of libcurl to your IDL bin directory (and license_utils directory), or you can delete the file but also make sure that an “unaffected” system libcurl is on your library path. Note that ENVI and IDL have not been tested with all possible variations of libcurl and as such, this custom configuration is not officially supported nor recommended.
Created by BC on 11/08/2023 | Reviewed by JU on 11/9/2023