5.6 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
4.7 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:M/Au:N/C:C/I:N/A:N
Security Bulletin: Aspera Products and the Meltdown and Spectre vulnerabilities (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754)
Summary
The industry-identified CPU vulnerabilities known as “Meltdown” and “Spectre” affect software products from all vendors running in all environments across CPU types and OSs. While the vulnerabilities (and the remedies) are at the OS and CPU level and are not specific to IBM Aspera software systems should be updated with the industry-specified remediations as they become available from OS providers.
Vulnerability Details
“Meltdown”:
https://vulners.com/cve/CVE-2017-5754
?
<https://meltdownattack.com>
“Spectre”:
https://vulners.com/cve/CVE-2017-5753
?
https://vulners.com/cve/CVE-2017-5715
?
<https://spectreattack.com>
Affected Products and Versions
All software applications from any vendor may be impacted until the OS that they are running on is updated according to instructions from the OS vendor.
Remediation/Fixes - Meltdown
IBM Aspera On Demand products
On Demand images provided by IBM Aspera have CentOS bundled into them and should be updated through the following steps:
On AWS:
# ssh-i[customer's perm] -p 33001 ec2-user@[ec2 host IP]
# sudo su ``#uname-r
# yum update kernel
# sudo reboot
#uname-r
On IBM Cloud (Softlayer):
?
2. Note down your current kernel version
#uname-r
?
3. Install the patch
# yum update kernel
?
4. Reboot your server
# sudo reboot
?
5. Verify your new kernel version is at least 3.10.0-693.11.6.el7.x86_64
#uname-r
These update steps should be applied to any version up through and including:
Aspera will be providing updated images on all cloud platforms soon; until then please use the update steps above for your current images. This bulletin will be updated to point to those updated images when they are available.
IBM Asperaon-premiseproducts
The OS beneath allon-premiseproducts should be updated with the OS vendors remediation as soon as it is available using instructions provided by the vendor.
IBM Aspera SaaS products
Cloud providers that host Aspera SaaS services are rapidly updating the OS and underlying software components as updates become available from the respective vendors.
As of this bulletin writing the status of applying the Meltdown remediation on Aspera SaaS products is:
Any Aspera SaaS subscribers who need further explanation please contact Aspera Support (email [email protected] to make the request).
Remediation/Fixes - Spectre
As of this bulletin writing no OS vendors have yet made remedies available for the Spectre exploit. Fortunately the Spectre exploit is difficult to accomplish. As OS vendors make available remedies they should be applied immediately to any OS running beneath Aspera software and Aspera will immediately apply them in its SaaS offerings andOn Demand images.
Change History
Updated 8 Jan 2018
5 Jan 2018
[{“Business Unit”:{“code”:“BU053”,“label”:“Cloud & Data Platform”},“Product”:{“code”:“SS8NDZ”,“label”:“IBM Aspera”},“Component”:“”,“Platform”:[{“code”:“PF025”,“label”:“Platform Independent”}],“Version”:“All Versions”,“Edition”:“”,“Line of Business”:{“code”:“LOB45”,“label”:“Automation”}}]
CPE | Name | Operator | Version |
---|---|---|---|
ibm aspera | eq | any |
5.6 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
4.7 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:M/Au:N/C:C/I:N/A:N