Lucene search

IBM2C4D2662C973FADA35A630C1FF5FB0196C1C4363DA2BC0482E6A6F12BBBD3709

HistoryDec 10, 2020 - 11:21 p.m.

Security Bulletin: HAProxy vulnerability CVE-2020-11100 impacts IBM Aspera High-Speed Transfer Server and Aspera High-Speed Transfer Endpoint versions prior to V4.0

2020-12-1023:21:25

www.ibm.com

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

JSON

Summary

HAProxy vulnerability CVE-2020-11100 impacts IBM Aspera High-Speed Transfer Server and Aspera High-Speed Transfer Endpoint versions prior to V4.0. The fix for this set of vulnerabilities was delivered in IBM Aspera High-Speed Transfer Server V4.0.0 and IBM Aspera High-Speed Transfer Endpoint V4.0.0.

Vulnerability Details

CVEID:CVE-2020-11100
**DESCRIPTION:**HAProxy could allow remote authenticated attacker to execute arbitrary code on the system, caused by an error in hpack_dht_insert in hpack-tbl.c in the HPACK decoder. By sending a specially crafted HTTP/2 request, an attacker could exploit this vulnerability to write arbitrary bytes around a certain location on the heap.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/179260 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Aspera High-Speed Transfer Server	3.9.6.2 and earlier
IBM Aspera High-Speed Transfer Endpoint	3.9.6.2 and earlier

Remediation/Fixes

The fix for this set of vulnerabilities was delivered in IBM Aspera High-Speed Transfer Server V4.0.0 and IBM Aspera High-Speed Transfer Endpoint V4.0.0.

Product	VRMF	APAR	Remediation/First Fix
IBM Aspera High-Speed Transfer Server	4.0.0	None	https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/IBM+Aspera+High-Speed+Transfer+Server&release=4.0.0&platform=All&function=all
IBM Aspera High-Speed Transfer Endpoint	4.0.0	None	https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/IBM+Aspera+High-Speed+Transfer+Endpoint&release=4.0.0&platform=All&function=all

Workarounds and Mitigations

None

CPENameOperatorVersion
aspera high-speed synceq4.0.0

CPE	Name	Operator	Version
	aspera high-speed sync	eq	4.0.0

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

JSON

Related for 2C4D2662C973FADA35A630C1FF5FB0196C1C4363DA2BC0482E6A6F12BBBD3709