IBM Support

Security Bulletin: Buffer overflow vulnerability affecting certain Aspera applications

Security Bulletin


Summary

IBM Aspera has discovered a security vulnerability that requires your immediate attention. Certain Aspera applications (details below) are vulnerable to a buffer overflow, which could allow an attacker with intimate knowledge of the system to execute commands in a restricted shell (aspshell). Aspera strongly recommends that the patch be applied to systems running the latest release of your product in order to ensure that you have all of the latest enhancements and security patches that have been provided with previous releases. The patch binary will also work with prior releases.

NOTE: The patch instructions only apply to installations that were made prior to April 13, 2020. Downloads provided thereafter have the security vulnerability remediated and do not require the patch.

Vulnerability Details

DESCRIPTION:   Certain IBM Aspera applications are vulnerable to a buffer overflow, which could allow an attacker with intimate knowledge of the system to execute commands in a restricted shell (aspshell).
CVSS Base score: 8.1
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Products

Versions

Aspera High-Speed Transfer Server

All versions affected

Aspera High-Speed Transfer Endpoint

All versions affected

Aspera Proxy

All versions affected

Aspera Streaming

All versions affected

Aspera Application Platform On Demand 

All versions affected

Aspera Faspex On Demand

All versions affected

Aspera Server On Demand

All versions affected

Aspera Shares On Demand 

All versions affected

Aspera Transfer Cluster Manager

All versions affected

Aspera High-Speed Transfer Server for Cloud Pak for Integration (CP4I)

All versions affected

Remediation/Fixes

To address the issue, it is strongly recommended to be running the latest version of the software then apply the hotfix patch which contains the new aspshell binary. The patch binary will also work with prior releases. See the table below for the link to the latest version and hotfix patch. 

Products

VRMF

APAR

Remediation/First Fix

Aspera High-Speed Transfer Server

3.9.6 + aspshell patch

ATT-1196

- Link to latest release (3.9.6)

- Link to instructions and patch

Aspera High-Speed Transfer Endpoint

3.9.6 + aspshell patch

ATT-1196

- Link to latest release (3.9.6)

- Link to instructions and patch

Aspera Proxy

1.4.4 + aspshell patch

ATT-1196

- Link to latest release (1.4.4)

- Link to instructions and patch

Aspera Streaming

3.9.6 + aspshell patch

ATT-1196

- Link to latest release (3.9.6)

- Link to instructions and patch

Aspera Application Platform On Demand

3.9.6 + aspshell patch

ATT-1196

- Contact your IBM sales rep for access to the latest released image (3.9.6)

- Link to instructions and patch

Aspera Faspex On Demand  3.9.6 + aspshell patch ATT-1196

- Contact your IBM sales rep for access to the latest released image (3.9.6)

- Link to instructions and patch

Aspera Server On Demand

3.9.6 + aspshell patch

ATT-1196

- Contact your IBM sales rep for access to the latest released image (3.9.6)

- Link to instructions and patch

Aspera Shares On Demand

3.9.6 + aspshell patch

ATT-1196

- Contact your IBM sales rep for access to the latest released image (3.9.6)

- Link to instructions and patch

Aspera Transfer Cluster Manager

1.3.1 + aspshell patch

ATT-1196

- Link to instructions and patch

Aspera High-Speed Transfer Server for Cloud Pak for Integration (CP4I)

3.9.12

ATT-1196

- Access your charts to get the latest version

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

Off

Acknowledgement

Change History

30 Mar 2020: Initial Publication
31 Mar 2020: Update link to instructions and patch

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSRFYR","label":"IBM Aspera on Demand"},"ARM Category":[{"code":"","label":""}],"Platform":[{"code":"PF027","label":"Solaris"},{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF022","label":"OS X"},{"code":"PF033","label":"Windows"},{"code":"PF051","label":"Linux on IBM Z Systems"}],"Version":"Multiple versions","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SS8NDZ","label":"IBM Aspera"},"ARM Category":[{"code":"","label":""}],"Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF051","label":"Linux on IBM Z Systems"},{"code":"PF017","label":"Mac OS"},{"code":"PF053","label":"Power"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSL85S","label":"IBM Aspera High-Speed Transfer Server (HSTS)"},"ARM Category":[{"code":"a8m0z0000001gq7AAA","label":"HSTS"}],"Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF051","label":"Linux on IBM Z Systems"},{"code":"PF017","label":"Mac OS"},{"code":"PF053","label":"Power"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSL7UM","label":"IBM Aspera High-Speed Transfer Endpoint (HSTE)"},"ARM Category":[{"code":"","label":""}],"Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF051","label":"Linux on IBM Z Systems"},{"code":"PF017","label":"Mac OS"},{"code":"PF053","label":"Power"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SUNSET","label":"PRODUCT REMOVED"},"ARM Category":[{"code":"","label":""}],"Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSMVZ9","label":"IBM Aspera Streaming"},"ARM Category":[{"code":"a8m0z0000001gq7AAA","label":"HSTS"}],"Platform":[{"code":"PF016","label":"Linux"},{"code":"PF017","label":"Mac OS"},{"code":"PF033","label":"Windows"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSRFYR","label":"IBM Aspera on Demand"},"ARM Category":[{"code":"","label":""}],"Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
20 February 2022

UID

ibm16131703