Security Bulletin
Summary
When a weak app_id is used with the IBM Connect SDK, an attacker can retrieve sensitive transfer details.
Vulnerability Details
The confidentiality of transfer information is protected by the web application’s app_id. If an attacker discovers the app_id, they can use the Connect API to retrieve metadata about transfers performed recently and potentially leverage this information to mount further attacks, including transferring files.
Affected Products and Versions
IBM Aspera Connect 3.7.4 and earlier
Any web application using the Connect SDK 3.7.4 or older is affected if not explicitly configured to use a secure app_id. The following products could be affected:
• IBM Aspera Connect Server (IBM Aspera High-Speed Transfer Server)
• IBM Aspera Faspex
• IBM Aspera Shares
• IBM Aspera SharePoint
The following products are currently unaffected:
• IBM Aspera Files
• IBM Aspera on Cloud
Remediation/Fixes
IBM recommends upgrading IBM Aspera Connect and IBM Aspera Connect SDK to version 3.8. The new SDK automatically creates a secure app_id if one is not provided. To protect user privacy, the IBM Aspera Connect client application, on startup, removes any existing transfer information stored in the database that has an insecure app_id.
Customers using the SDK from the Aspera web application’s default location, hosted on Cloudfront, receive the fix automatically. The 3.8 version of the SDK includes the message “IBM Aspera Connect requires a security update.”
For customers who host the SDK: the IBM Aspera Connect SDK 3.8.0 is available from the Aspera Developer Network site: https://developer.asperasoft.com/web/connect-client/hosting
For customers running the client: the IBM Aspera Connect 3.8.0 client is available from the Aspera download site: http://downloads.asperasoft.com/connect
Workarounds and Mitigations
When using an older version of the IBM Aspera Connect SDK, ensure that the app_id cannot be guessed by the attacker. Avoid including the host name, or product name in the app_id. Avoid monotonically increasing app_id’s.
To protect from information disclosure, remove any previous transfers performed with a weak app_id by using the SDK function AW4.Connect#removeTransfer(transferId).
Get Notified about Future Security Bulletins
References
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
15 June 2018
UID
swg22016012