DIVD-2023-00012 - Unauthenticated Remote Command Execution in IBM Aspera Faspex
| Our reference | DIVD-2023-00012 |
| Case lead | Axel Boesenach |
| Researcher(s) | |
| CVE(s) | |
| Product | IBM Aspera Faspex |
| Versions |
|
| Recommendation | Update your Aspera Faspex instance to 4.4.2 Patch Level 2 to mitigate the vulnerability. |
| Status | Open |
| Last modified | 11 Mar 2023 17:12 |
Summary
IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier could allow a remote attacker to execute arbitrary code on the system, caused by a YAML deserialization flaw. By sending a specially crafted obsolete API call, an attacker could exploit this vulnerability to execute arbitrary code on the system.
What you can do
Update your Aspera Faspex instance to 4.4.2 Patch Level 2 to mitigate the vulnerability.
What we are doing
DIVD is currently working to identify vulnerable parties and notifying these. We do this by finding Aspera Faspex instances and verifying their version.
Timeline
| Date | Description |
|---|---|
| 17 Feb 2023 | IBM security bulletin released |
| 21 Feb 2023 | DIVD starts researching fingerprint. |
| 23 Feb 2023 | DIVD identifies vulnerable parties. |
| 01 Mar 2023 | DIVD sends first round of notifications. |
| 11 Mar 2023 | DIVD conducts second scan and sends second round of notifications. |
gantt
title DIVD-2023-00012 - Unauthenticated Remote Command Execution in IBM Aspera Faspex
dateFormat YYYY-MM-DD
axisFormat %e %b %Y
section Case
DIVD-2023-00012 - Unauthenticated Remote Command Execution in IBM Aspera Faspex (still open) :2023-02-17, 2023-04-03
section Events
IBM security bulletin released : milestone, 2023-02-17, 0d
DIVD starts researching fingerprint. : milestone, 2023-02-21, 0d
DIVD identifies vulnerable parties. : milestone, 2023-02-23, 0d
DIVD sends first round of notifications. : milestone, 2023-03-01, 0d
DIVD conducts second scan and sends second round of notifications. : milestone, 2023-03-11, 0d