Release Notes: IBM Aspera Faspex 4.4.2

Product Released: June, 2022.
Release Notes Updated: September, 2023.

This release of IBM Aspera Faspex 4.4.2 provides the new features and fixes listed below. Additional sections cover system requirements and known problems.

Patch Level 4

Important: To install this patch level 4 you must be on Faspex 4.4.2. If you are using an earlier version of Faspex, upgrade to Faspex 4.4.2. For upgrade instructions, refer to the Upgrading Faspex section in the Faspex 4.4 Admin guide.

Download the patch here.

ISSUES FIXED IN THIS PATCH

Aspera/faspex4#520 - Faspex 4.4.2 PL 3 showing OAuth vulnerability CVE-2023-27871.

Aspera/faspex4#468 - Faspex 4.4.2 PL 3 IP address access restriction bypass vulnerability PSIRT# PVR0438526.

Patch Level 3

Important: To install this patch level 3 you must be on Faspex 4.4.2. If you are using an earlier version of Faspex, upgrade to Faspex 4.4.2. For upgrade instructions, refer to the Upgrading Faspex section in the Faspex 4.4 Admin guide.

Download the patch here.

ISSUES FIXED IN THIS PATCH

Aspera/faspex4#446 - Return the X-IBM-Aspera HTTP header to show the server's current running version.

Aspera/faspex4#445 - Added a new rake task asctl faspex:rake aspera:renew_secrets to renew secrets and update relevant passwords in one command.

Aspera/faspex4#443 - Read request parameters as the correct data type.

Aspera/faspex4#440 - Enhance XML validation for endpoints that accept requests in XML format.

Aspera/faspex4#439 - Stop treating requests in XML format as request parameters.

Patch Level 2

Important: To install this patch level 2 you must be on Faspex 4.4.2. If you are using an earlier version of Faspex, upgrade to Faspex 4.4.2. For upgrade instructions, refer to the Upgrading Faspex section in the Faspex 4.4 Admin guide.

Download the patch here.

ISSUES FIXED IN THIS PATCH

FASPX-2054 - JQuery-UI is now updated to version 1.13.2.

FASPX-2087 - Apache is now updated to version 2.4.54.

FASPX-2095 - OpenSSL is now updated to version 1.1.1s.

FASPX-2096 - Zlib is now updated to version 1.2.13.

FASPX-2100 - YAML: Pre-auth RCE in /package_relay/relay_package due to insecure YAML 2100 deserialization has been suppressed.

FASPX-2104 - XSS: Restricted render type to avoid insecure rendering.

Patch Level 1

Download the patch here.

ISSUES FIXED IN THIS PATCH

FASPX-2092 - Clickjacking: CSP frame-ancestors missing.

NEW FEATURES

FASPX-486 - Faspex now uses randomly generated Diffie-Hellman prime numbers, and the installation script asks admins if they would like to generate new numbers.

FASPX-1942 - Upgrade Apache to version 2.4.53 or greater.

FASPX-1943 - [Windows] Upgrade OpenSSL to the latest version in Apache/Faspex for TLS 1.3 support.

FASPX-2037 - Upgrade JRE to version 1.11.0_13 or greater.

FASPX-2039 - Upgrade MySQL to 5.7.37

FASPX-2040 - Upgrade logback to version 1.2.28.

FASPX-2042 - Upgrade PCRE2 to version 10.39.

FASPX-2048 - Added rake task for Directory Service to SAML migration.

ISSUES FIXED IN THIS RELEASE

FASPX-529 - [Windows] Faspex Stats Collector fails to start at boot after applying the Spectre/Meltdown patch.

FASPX-1981 - Faspex security enhancement against XSS injection.

FASPX-2030 - Packages in Faspex with a sent date of one month or older only display the time in the Date-Sent column.

SYSTEM REQUIREMENTS

IBM Aspera High-Speed Transfer Server: 4.2.0+ with Connect Server license
IBM Aspera Common Components: 1.1.38+
IBM Aspera Connect: 4.2.0
IBM Aspera HTTP Gateway 2.3.0+
Note: To use the file obfuscation feature with Connect, users must be using Connect 3.9.8 and later. (Obfuscation works also with remote sources and HTTP Gateway)
Hardware:
CPU: 4x 2-GHz CPU cores
Memory: 8 GB RAM
Hard Drive: SSD hard drive or high-speed disks (15K RPM)
Disk Space: 10 GB

Embedded Components:
Apache Version: 2.4.54
Apache SSL Version: 1.1.1s
asctl Version: 2.1
Connect SDK Version: 3.9.7.175481
Mongrels Version: 1.2.0.pre2
MySQL Version: 5.7.37 with @global.sql_mode and @session.sql_mode set to STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION.
Rails Version: 2.3.18
Ruby Version: 1.9.3
Ruby SSL Version: 1.0.2t

64-bit Windows: 2012, 2016, 2019 server
64-bit Linux: CentOS 7, RHEL 7-8 using Common 1.1.38

Browsers: Microsoft Edge 102, Firefox 101, Safari 15.4, Google Chrome 102, Internet Explorer 11 (not supported for HTTP Gateway-related Faspex features)
(Faspex users can successfully access Faspex from any of these browsers on any OS, as long as the browser and OS are also supported by Connect and HTTP Gateway)

KNOWN ISSUES

Upgrade/Install

  • FASPX-2086 - Users can't upgrade to Faspex V4.4.2 from Faspex V4.4.0. Workaround: Follow the upgrade path in the Upgrading Faspex section of the Admin guide.
  • FASPX-2085 - Compatibility issue performing a new install of Faspex V4.4.x for Windows if you have High-Speed Transfer Server V4.3.0 or higher. This does not affect the following:
    • An upgrade of Faspex V4.4.1 PL12 to V4.4.2 (for Windows or Linux) with High-Speed Transfer Server V4.3.0 or higher
    • A new install of Faspex V4.4.x (for Windows or Linux) with High-Speed Transfer Servers before V4.3.0
    • A new install of Faspex V4.4.2 for Linux with High-Speed Transfer V4.3.0 or higher

Transfers

  • FASPX-1614 - Upload fails when user changes the upload method after already selecting files.
  • FASPX-1225 - If a Faspex transfer user has the symbolic_links options set to follow instead of create, Faspex creates an empty package marks the transfer as completed instead of giving an error. (CIM-2581)
  • FASPX-831 - Faspex errors are not clear when Faspex fails to start transfer because HTTP fallback is not enabled on the node. (CIM-1780)
  • FASPX-352 - Faspex transfers cannot be resumed if the Connect Plug-In is closed and relaunched, even after restarting the web page and the Connect Plug-In. (CIM-632)

Email Notifications

  • FASPX-1739 - The Faspex welcome email still has links to www.asperasoft.com. (CIM-3128)
  • FASPX-983 - In specific cases, handling Stats Collector exceptions prevents Faspex from updating transfers in tables and from sending email notifications about those transfers. Workaround: See Troubleshooting Faspex: Resetting Stats Collector Database. (CIM-2075)

Relays

  • FASPX-1728 - Package relay status does not update after package relay completes.
  • FASPX-940 - Faspex does not support setting multiple shares per user defined in RecipientShareIDs metadata. (CIM-2035)
  • FASPX-893 - In some cases, if multiple tabs are open, a user is able to manually retry a failed relay from the Relays page, even though Faspex has already restarted the failed relay, because the Faspex UI is not updated. (CIM-1925)

Web UI

  • FASPX-1766 - Faspex gives 500 error when trying to toggle user profile columns on the Users page if the user does not have a value set for that column.
  • FASPX-1690 - When downloading a package using HTTP Gateway, Faspex shows the HTTP Gateway IP address as the client IP address instead of the client IP address.
  • FASPX-1615 - A user can no longer select files after clearing the list of selected files on the New Package page. Workaround: Refresh the page to select files again.

Mobile

  • FASPX-1038 - Faspex directs users using a mobile web browser to open the Faspex Mobile app. (CIM-2172)

System

  • FASPX-981 - Faspex should ignore records that do not match the requirements of the Faspex database and continue to poll a node for records. (CIM-2022)
  • FASPX-375 - SUSE 11 UI installation for Faspex and Common fails when using the UI to install. Workaround: Install using the command line and the rpm -Uvh command.

API

  • FASPX-1005 - Archiving a package using the v4 API archives the package for the sender instead of for the recipients (CIM-2145, CIM-2146)

PRODUCT SUPPORT

For online support, go to the IBM Aspera Support site at https://www.ibm.com/mysupport/. To open a support case, log in with your IBMid or set up a new IBMid account.