Security Bulletin
Summary
IBM Aspera Platform On Demand, IBM Aspera Server On Demand, IBM Aspera Faspex On Demand, IBM Aspera Shares On Demand, IBM Aspera Transfer Cluster Manager is affected by the vulnerabilities known as Spectre and Meltdown, which can enable CPU data cache timing to be abused to bypass conventional memory security restrictions to gain access to privileged memory that should be inaccessible.
Vulnerability Details
CVEID: CVE-2017-5753
DESCRIPTION: Intel Haswell Xeon, AMD PRO and ARM Cortex A57 CPUs could allow a local authenticated attacker to obtain sensitive information, caused by a bounds check bypass in the CPU speculative branch instruction execution feature. By conducting targeted cache side-channel attacks, an attacker could exploit this vulnerability to cross the syscall boundary and read data from the CPU virtual memory. CVSS Base Score: 7.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/137052 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N)
CVEID: CVE-2017-5715
DESCRIPTION: Intel Haswell Xeon, AMD PRO and ARM Cortex A57 CPUs could allow a local authenticated attacker to obtain sensitive information, caused by a branch target injection in the CPU speculative branch instruction execution feature. By conducting targeted cache side-channel attacks, an attacker could exploit this vulnerability to leak memory contents into a CPU cache and read host kernel memory. CVSS Base Score: 6.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/137054 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)
CVEID: CVE-2017-5754
DESCRIPTION: Intel Haswell Xeon, AMD PRO and ARM Cortex A57 CPUs could allow a local authenticated attacker to obtain sensitive information, caused by a rogue data cache load in the CPU speculative branch instruction execution feature. By conducting targeted cache side-channel attacks, an attacker could exploit this vulnerability to cause the CPU to read kernel memory from userspace before the permission check for accessing an address is performed. CVSS Base Score: 7.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/137053 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N)
Affected Products and Versions
Affected Product Name | Affected Versions |
IBM Aspera Platform On Demand | 3.7.3 and prior |
IBM Aspera Server On Demand | 3.7.3 and prior |
IBM Aspera Faspex On Demand | 3.7.3 and prior |
IBM Aspera Shares On Demand | 3.7.3 and prior |
IBM Aspera Transfer Cluster Manager | 1.2.4 and prior |
Remediation/Fixes
Product | VRMF | APAR | Remediation/First Fix |
IBM Aspera Platform On Demand | 3.7.4 | N/A | http://downloads.asperasoft.com/en/downloads/54 |
IBM Aspera Server On Demand | 3.7.4 | N/A | http://downloads.asperasoft.com/en/downloads/55 |
IBM Aspera Faspex On Demand | 3.7.4 | N/A | http://downloads.asperasoft.com/en/downloads/56 |
IBM Aspera Shares On Demand | 3.7.4 | N/A | http://downloads.asperasoft.com/en/downloads/57 |
IBM Aspera Transfer Cluster Manager | 1.2.5 | N/A | Target availability is Q2 2018. |
For all affected products, IBM recommends upgrading to a fixed, supported version/release/platform of the product.
Workarounds and Mitigations
Mitigation - Meltdown
IBM Aspera On Demand products
On Demand images provided by IBM Aspera have CentOS bundled into them and should be updated through the following steps:
On AWS:
1. You may want to create a copy of your current instance as a backup. To do so:
Log in to AWS Console
Select the desired instance
Go to Action -> Image -> Create Image.
2. Connect to your server from a terminal via SSH as root:
# ssh -i [customer's perm] -p 33001 ec2-user@[ec2 host IP]
# sudo su –
3. Note down your current kernel version
# uname -r
4. Install the patch
# yum update kernel
5. Reboot your server# sudo reboot
6. Verify your new kernel version is at least 3.10.0-693.11.6.el7.x86_64
# uname -r
On IBM Cloud (Softlayer):
1. Connect to your server from a terminal via SSH as root:
# ssh centos@[host_IP_address]
# sudo su –
2. Note down your current kernel version
# uname -r
3. Install the patch
# yum update kernel
4. Reboot your server# sudo reboot
5. Verify your new kernel version is at least 3.10.0-693.11.6.el7.x86_64
# uname -r
These update steps should be applied to any version up through and including:
· Application Platform On Demand (APOD) - v3.7.3
· Server On Demand (SOD) - v3.7.3
· Shares On Demand (SHOD) - v3.7.3
· Faspex On Demand (FOD) – v3.7.3
· Aspera Transfer Cluster Manager (ATCM) - v1.2.4
Aspera will be providing updated images on all cloud platforms soon; until then, please use the update steps above for your current images. This bulletin will be updated to point to those updated images when they are available.
Mitigation - Spectre
As of this bulletin writing, no OS vendors have yet made available remedies for the Spectre exploit. Fortunately, the Spectre exploit is difficult to accomplish. As OS vendors make available remedies, they should be applied immediately to any OS running beneath Aspera software, and Aspera will immediately apply them in its SaaS offerings and On Demand images.
Get Notified about Future Security Bulletins
References
Acknowledgement
The vulnerability was reported to IBM by Google Project Zero.
Change History
8 January 2018: Original version published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
15 June 2018
UID
swg22012643