CVE-2021-22890: 
Splunk Forwarder vulnerability analysis and mitigation

CVE-2021-22890 affects curl versions 7.63.0 through 7.75.0, involving a vulnerability that allows a malicious HTTPS proxy to perform a Man-in-the-Middle (MITM) attack due to improper handling of TLS 1.3 session tickets. The vulnerability was discovered by Mingtao Yang of Facebook and disclosed on March 17, 2021 (Curl Docs).

When using an HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote server and then wrongly 'short-cut' the host handshake. The issue occurs because of modified sequence changes from TLS 1.2 to TLS 1.3, where session IDs were previously provided only during TLS handshake but in TLS 1.3 happen post-handshake. The code was not updated to handle this changed behavior (Curl Docs).

When exploited, this vulnerability allows a malicious HTTPS proxy to trick libcurl into using the wrong session ticket resume for the host, thereby circumventing the server TLS certificate check. This enables a MITM attack to be performed undetected, though the malicious proxy needs to provide a certificate that curl accepts for the MITMed server unless curl has been configured to ignore certificate checks (Curl Docs).

The issue was fixed in curl version 7.76.0. Users are recommended to upgrade to this version or later. If upgrading is not immediately possible, alternative mitigations include using another TLS backend, avoiding TLS 1.3 with HTTPS proxies, or applying the patch to local versions (Curl Docs).