Lucene search

IBMA01CE9FAE53727B4092517B1DCFED1886D4DDE38BD69AF2B8B0DEDDD1A398AC3

HistoryOct 12, 2023 - 5:10 p.m.

Security Bulletin: IBM Aspera Faspex has addressed an IP address restriction bypass vulnerability

2023-10-1217:10:08

www.ibm.com

ibm aspera faspex

ip whitelist

bypass

fix

version 5.0.6

cve-2023-30995

vulnerability

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

43.4%

JSON

Summary

IBM Aspera Faspex could allow a malicious actor to bypass the whitelist IP check at user log in. This is not an unauthorized user access exploit.

Vulnerability Details

CVEID:CVE-2023-30995
**DESCRIPTION:**IBM Aspera Faspex 4.0 through 4.4.2 and 5.0 through 5.0.5 could allow a malicious actor to bypass IP whitelist restrictions using a specially crafted HTTP request. IBM X-Force ID: 254268.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/254268 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Aspera Faspex	4.0 - 4.4.2 PL3
IBM Aspera Faspex	5.0 - 5.0.5

Remediation/Fixes

It is recommended that customers take one of the following actions as soon as possible:

1. Upgrade to Faspex v5. Given the impending end of service of Version 4 later this year, this is an important action all customers should take.

Faspex 5.0.6 can be downloaded from here. Installation instructions can be found here.

2. Apply the latest patch; see links below.

Product(s)	Fixing VRM	Platform	Link to Fix
IBM Aspera Faspex

5.0.6

| Linux| click here
IBM Aspera Faspex|

4.4.2 PL4

| Linux| click here
IBM Aspera Faspex|

4.4.2 PL4

| Windows| click here

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmaspera_server_on_demandMatch1.1

ibmaspera_faspexMatch4.0

ibmaspera_faspexMatch4.4.2

ibmaspera_faspexMatch3

ibmaspera_faspexMatch5.0

ibmaspera_faspexMatch5.0.5

ibmaspera_faspexMatch1.0

ibmaspera_faspex_on_demandMatch3.7

VendorProductVersionCPE
ibmaspera_server_on_demand1.1cpe:2.3:a:ibm:aspera_server_on_demand:1.1:*:*:*:*:*:*:*
ibmaspera_faspex4.0cpe:2.3:a:ibm:aspera_faspex:4.0:*:*:*:*:*:*:*
ibmaspera_faspex4.4.2cpe:2.3:a:ibm:aspera_faspex:4.4.2:*:*:*:*:*:*:*
ibmaspera_faspex3cpe:2.3:a:ibm:aspera_faspex:3:*:*:*:*:*:*:*
ibmaspera_faspex5.0cpe:2.3:a:ibm:aspera_faspex:5.0:*:*:*:*:*:*:*
ibmaspera_faspex5.0.5cpe:2.3:a:ibm:aspera_faspex:5.0.5:*:*:*:*:*:*:*
ibmaspera_faspex1.0cpe:2.3:a:ibm:aspera_faspex:1.0:*:*:*:*:*:*:*
ibmaspera_faspex_on_demand3.7cpe:2.3:a:ibm:aspera_faspex_on_demand:3.7:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	aspera_server_on_demand	1.1	cpe:2.3:a:ibm:aspera_server_on_demand:1.1:::::::*
ibm	aspera_faspex	4.0	cpe:2.3:a:ibm:aspera_faspex:4.0:::::::*
ibm	aspera_faspex	4.4.2	cpe:2.3:a:ibm:aspera_faspex:4.4.2:::::::*
ibm	aspera_faspex	3	cpe:2.3:a:ibm:aspera_faspex:3:::::::*
ibm	aspera_faspex	5.0	cpe:2.3:a:ibm:aspera_faspex:5.0:::::::*
ibm	aspera_faspex	5.0.5	cpe:2.3:a:ibm:aspera_faspex:5.0.5:::::::*
ibm	aspera_faspex	1.0	cpe:2.3:a:ibm:aspera_faspex:1.0:::::::*
ibm	aspera_faspex_on_demand	3.7	cpe:2.3:a:ibm:aspera_faspex_on_demand:3.7:::::::*

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

43.4%

JSON

Related for A01CE9FAE53727B4092517B1DCFED1886D4DDE38BD69AF2B8B0DEDDD1A398AC3