IBM899A0A3206EF524A1D4AEDCFA7E142C82B8FB487E335F61ED3FDF9C64E0C0795Security Bulletin: IBM Aspera Faspex 4.4.2 PL3 has addressed multiple vulnerabilities (CVE-2023-27871, CVE-2023-27873, CVE-2023-27874)
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS
Percentile
47.1%
Summary
This Security Bulletin addresses security vulnerabilities that have been remediated (CVE-2023-27871, CVE-2023-27873) and mitigated (CVE-2023-27874) in IBM Aspera Faspex 4.4.2 PL3.
Vulnerability Details
CVEID:CVE-2023-27874
**DESCRIPTION:**IBM Aspera is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote authenticated attacker could exploit this vulnerability to execute arbitrary commands.
CVSS Base score: 9.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/249845 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
CVEID:CVE-2023-27871
**DESCRIPTION:**IBM Aspera Faspex could allow a remote attacker to obtain sensitive credential information for an external user, using a specially crafted SQL query.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/249613 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID:CVE-2023-27873
**DESCRIPTION:**IBM Aspera Faspex could allow a remote authenticated attacker to obtain sensitive credential information using specially crafted XML input.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/249654 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
Affected Products and Versions
IBM Aspera Faspex 4.4.2 PL2 and earlier versions.
Remediation/Fixes
It is recommended that customers take one of the following actions as soon as possible:
1. Upgrade to Faspex v5. Given the impending end of service of Version 4 later this year, this is an important action all customers should take.
Faspex 5.0.4 can be downloaded from here. Installation instructions can be found here.
2. Apply the latest version 4 patch - 4.4.2 PL3, see links below.
| Product(s) | Fixing VRM | Platform | Link to Fix |
|---|---|---|---|
| IBM Aspera Faspex |
4.4.2 PL3
| Windows| click here
IBM Aspera Faspex|
4.4.2 PL3
| Linux| click here
Workarounds and Mitigations
This fix mitigates CVE-2023-27874.
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| ibm | aspera_server_on_demand | 1.0 | cpe:2.3:a:ibm:aspera_server_on_demand:1.0:*:*:*:*:*:*:* |
| ibm | aspera_faspex | 1.1 | cpe:2.3:a:ibm:aspera_faspex:1.1:*:*:*:*:*:*:* |
| ibm | aspera_faspex | 4.4.2 | cpe:2.3:a:ibm:aspera_faspex:4.4.2:*:*:*:*:*:*:* |
| ibm | aspera_faspex | 2 | cpe:2.3:a:ibm:aspera_faspex:2:*:*:*:*:*:*:* |
| ibm | aspera_faspex | 1.0 | cpe:2.3:a:ibm:aspera_faspex:1.0:*:*:*:*:*:*:* |
| ibm | aspera_faspex_on_demand | 4.4.2 | cpe:2.3:a:ibm:aspera_faspex_on_demand:4.4.2:*:*:*:*:*:*:* |
| ibm | aspera_faspex_on_demand | 2 | cpe:2.3:a:ibm:aspera_faspex_on_demand:2:*:*:*:*:*:*:* |
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS
Percentile
47.1%