DIVD-2023-00012 - Unauthenticated Remote Command Execution in IBM Aspera Faspex
| Our reference | DIVD-2023-00012 |
| Case lead | Axel Boesenach |
| Researcher(s) | |
| CVE(s) | |
| Product | IBM Aspera Faspex |
| Versions |
|
| Recommendation | Update your Aspera Faspex instance to 4.4.2 Patch Level 2 to mitigate the vulnerability. |
| Status | Closed |
| Last modified | 20 Apr 2023 12:58 CEST |
Summary
IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier could allow a remote attacker to execute arbitrary code on the system, caused by a YAML deserialization flaw. By sending a specially crafted obsolete API call, an attacker could exploit this vulnerability to execute arbitrary code on the system.
What you can do
Update your Aspera Faspex instance to 4.4.2 Patch Level 2 to mitigate the vulnerability.
What we are doing
DIVD is currently working to identify vulnerable parties and notifying these. We do this by finding Aspera Faspex instances and verifying their version.
Timeline
| Date | Description |
|---|---|
| 17 Feb 2023 | IBM security bulletin released |
| 21 Feb 2023 | DIVD starts researching fingerprint. |
| 23 Feb 2023 | DIVD identifies vulnerable parties. |
| 01 Mar 2023 | DIVD sends first round of notifications. |
| 11 Mar 2023 | DIVD conducts second scan and sends second round of notifications. |
| 05 Apr 2023 | DIVD conducts third scan and sends third round of notifications. |
| 20 Apr 2023 | Case closed. |
gantt
title DIVD-2023-00012 - Unauthenticated Remote Command Execution in IBM Aspera Faspex
dateFormat YYYY-MM-DD
axisFormat %e %b %Y
section Case
DIVD-2023-00012 - Unauthenticated Remote Command Execution in IBM Aspera Faspex (62 days) :2023-02-17, 2023-04-20
section Events
IBM security bulletin released : milestone, 2023-02-17, 0d
DIVD starts researching fingerprint. : milestone, 2023-02-21, 0d
DIVD identifies vulnerable parties. : milestone, 2023-02-23, 0d
DIVD sends first round of notifications. : milestone, 2023-03-01, 0d
DIVD conducts second scan and sends second round of notifications. : milestone, 2023-03-11, 0d
DIVD conducts third scan and sends third round of notifications. : milestone, 2023-04-05, 0d
Case closed. : milestone, 2023-04-20, 0d