DIVD-2023-00012 - Unauthenticated Remote Command Execution in IBM Aspera Faspex
|IBM Aspera Faspex
|Update your Aspera Faspex instance to 4.4.2 Patch Level 2 to mitigate the vulnerability.
|20 Apr 2023 12:58
IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier could allow a remote attacker to execute arbitrary code on the system, caused by a YAML deserialization flaw. By sending a specially crafted obsolete API call, an attacker could exploit this vulnerability to execute arbitrary code on the system.
What you can do
Update your Aspera Faspex instance to 4.4.2 Patch Level 2 to mitigate the vulnerability.
What we are doing
DIVD is currently working to identify vulnerable parties and notifying these. We do this by finding Aspera Faspex instances and verifying their version.
|17 Feb 2023
|IBM security bulletin released
|21 Feb 2023
|DIVD starts researching fingerprint.
|23 Feb 2023
|DIVD identifies vulnerable parties.
|01 Mar 2023
|DIVD sends first round of notifications.
|11 Mar 2023
|DIVD conducts second scan and sends second round of notifications.
|05 Apr 2023
|DIVD conducts third scan and sends third round of notifications.
|20 Apr 2023