Skip to the content.

DIVD-2023-00012 - Unauthenticated Remote Command Execution in IBM Aspera Faspex

Our reference DIVD-2023-00012
Case lead Axel Boesenach
Researcher(s)
CVE(s)
Product IBM Aspera Faspex
Versions
  • IBM Aspera Faspex: < 4.4.2 Patch Level 2
Recommendation Update your Aspera Faspex instance to 4.4.2 Patch Level 2 to mitigate the vulnerability.
Status Closed
Last modified 20 Apr 2023 12:58

Summary

IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier could allow a remote attacker to execute arbitrary code on the system, caused by a YAML deserialization flaw. By sending a specially crafted obsolete API call, an attacker could exploit this vulnerability to execute arbitrary code on the system.

What you can do

Update your Aspera Faspex instance to 4.4.2 Patch Level 2 to mitigate the vulnerability.

What we are doing

DIVD is currently working to identify vulnerable parties and notifying these. We do this by finding Aspera Faspex instances and verifying their version.

Timeline

Date Description
17 Feb 2023 IBM security bulletin released
21 Feb 2023 DIVD starts researching fingerprint.
23 Feb 2023 DIVD identifies vulnerable parties.
01 Mar 2023 DIVD sends first round of notifications.
11 Mar 2023 DIVD conducts second scan and sends second round of notifications.
05 Apr 2023 DIVD conducts third scan and sends third round of notifications.
20 Apr 2023 Case closed.
gantt title DIVD-2023-00012 - Unauthenticated Remote Command Execution in IBM Aspera Faspex dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2023-00012 - Unauthenticated Remote Command Execution in IBM Aspera Faspex (62 days) :2023-02-17, 2023-04-20 section Events IBM security bulletin released : milestone, 2023-02-17, 0d DIVD starts researching fingerprint. : milestone, 2023-02-21, 0d DIVD identifies vulnerable parties. : milestone, 2023-02-23, 0d DIVD sends first round of notifications. : milestone, 2023-03-01, 0d DIVD conducts second scan and sends second round of notifications. : milestone, 2023-03-11, 0d DIVD conducts third scan and sends third round of notifications. : milestone, 2023-04-05, 0d Case closed. : milestone, 2023-04-20, 0d

More information