Question

Security Bulletin: OpenSSH client bug (CVE-2016-0777 and CVE-2016-0778)

Answer

Summary

Aspera software is not affected by a bug that has been found in OpenSSH’s client software. A bug in the OpenSSH client has been found to create an exploitable information leak, which could allow malicious servers to steal a client’s private keys. This issue only affects OpenSSH clients for versions 5.4 - 7.1.

Specifically, the vulnerability occurs in the_roaming_ feature for OpenSSH client, which is by default turned on. See the link below for more information.

CVEID: CVE-2016-0777

Effect

Aspera products use their own embedded SSH clients which are run with no options and ascp does not make use of OpenSSH configurations.

Therefore this security issue does NOT AFFECT any Aspera products.

[{“Business Unit”:{“code”:“BU053”,“label”:“Cloud & Data Platform”},“Product”:{“code”:“SS8NDZ”,“label”:“IBM Aspera”},“Component”:“”,“Platform”:[{“code”:“PF025”,“label”:“Platform Independent”}],“Version”:“All Versions”,“Edition”:“”,“Line of Business”:{“code”:“LOB45”,“label”:“Automation”}}]