Security Bulletin: Buffer overflow vulnerability affecting certain Aspera applications

Security Bulletin

Summary

IBM Aspera has discovered a security vulnerability that requires your immediate attention. Certain Aspera applications (details below) are vulnerable to a buffer overflow, which could allow an attacker with intimate knowledge of the system to execute commands in a restricted shell (aspshell). Aspera strongly recommends that the patch be applied to systems running the latest release of your product in order to ensure that you have all of the latest enhancements and security patches that have been provided with previous releases. The patch binary will also work with prior releases.

NOTE: The patch instructions only apply to installations that were made prior to April 13, 2020. Downloads provided thereafter have the security vulnerability remediated and do not require the patch.

Vulnerability Details

DESCRIPTION: Certain IBM Aspera applications are vulnerable to a buffer overflow, which could allow an attacker with intimate knowledge of the system to execute commands in a restricted shell (aspshell).
CVSS Base score: 8.1
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Products	Versions
Aspera High-Speed Transfer Server	All versions affected
Aspera High-Speed Transfer Endpoint	All versions affected
Aspera Proxy	All versions affected
Aspera Streaming	All versions affected
Aspera Application Platform On Demand	All versions affected
Aspera Faspex On Demand	All versions affected
Aspera Server On Demand	All versions affected
Aspera Shares On Demand	All versions affected
Aspera Transfer Cluster Manager	All versions affected
Aspera High-Speed Transfer Server for Cloud Pak for Integration (CP4I)	All versions affected

Remediation/Fixes

To address the issue, it is strongly recommended to be running the latest version of the software then apply the hotfix patch which contains the new aspshell binary. The patch binary will also work with prior releases. See the table below for the link to the latest version and hotfix patch.

Products	VRMF	APAR	Remediation/First Fix
Aspera High-Speed Transfer Server	3.9.6 + aspshell patch	ATT-1196	- Link to latest release (3.9.6) - Link to instructions and patch
Aspera High-Speed Transfer Endpoint	3.9.6 + aspshell patch	ATT-1196	- Link to latest release (3.9.6) - Link to instructions and patch
Aspera Proxy	1.4.4 + aspshell patch	ATT-1196	- Link to latest release (1.4.4) - Link to instructions and patch
Aspera Streaming	3.9.6 + aspshell patch	ATT-1196	- Link to latest release (3.9.6) - Link to instructions and patch
Aspera Application Platform On Demand	3.9.6 + aspshell patch	ATT-1196	- Contact your IBM sales rep for access to the latest released image (3.9.6) - Link to instructions and patch
Aspera Faspex On Demand	3.9.6 + aspshell patch	ATT-1196	- Contact your IBM sales rep for access to the latest released image (3.9.6) - Link to instructions and patch
Aspera Server On Demand	3.9.6 + aspshell patch	ATT-1196	- Contact your IBM sales rep for access to the latest released image (3.9.6) - Link to instructions and patch
Aspera Shares On Demand	3.9.6 + aspshell patch	ATT-1196	- Contact your IBM sales rep for access to the latest released image (3.9.6) - Link to instructions and patch
Aspera Transfer Cluster Manager	1.3.1 + aspshell patch	ATT-1196	- Link to instructions and patch
Aspera High-Speed Transfer Server for Cloud Pak for Integration (CP4I)	3.9.12	ATT-1196	- Access your charts to get the latest version

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Off

Acknowledgement

Change History

30 Mar 2020: Initial Publication
31 Mar 2020: Update link to instructions and patch

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSRFYR","label":"IBM Aspera on Demand"},"ARM Category":[{"code":"","label":""}],"Platform":[{"code":"PF027","label":"Solaris"},{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF022","label":"OS X"},{"code":"PF033","label":"Windows"},{"code":"PF051","label":"Linux on IBM Z Systems"}],"Version":"Multiple versions","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SS8NDZ","label":"IBM Aspera"},"ARM Category":[{"code":"","label":""}],"Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF051","label":"Linux on IBM Z Systems"},{"code":"PF017","label":"Mac OS"},{"code":"PF053","label":"Power"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSL85S","label":"IBM Aspera High-Speed Transfer Server (HSTS)"},"ARM Category":[{"code":"a8m0z0000001gq7AAA","label":"HSTS"}],"Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF051","label":"Linux on IBM Z Systems"},{"code":"PF017","label":"Mac OS"},{"code":"PF053","label":"Power"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSL7UM","label":"IBM Aspera High-Speed Transfer Endpoint (HSTE)"},"ARM Category":[{"code":"","label":""}],"Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF051","label":"Linux on IBM Z Systems"},{"code":"PF017","label":"Mac OS"},{"code":"PF053","label":"Power"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SUNSET","label":"PRODUCT REMOVED"},"ARM Category":[{"code":"","label":""}],"Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSMVZ9","label":"IBM Aspera Streaming"},"ARM Category":[{"code":"a8m0z0000001gq7AAA","label":"HSTS"}],"Platform":[{"code":"PF016","label":"Linux"},{"code":"PF017","label":"Mac OS"},{"code":"PF033","label":"Windows"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSRFYR","label":"IBM Aspera on Demand"},"ARM Category":[{"code":"","label":""}],"Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Tips

Security Bulletin: Buffer overflow vulnerability affecting certain Aspera applications