5.6 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
4.7 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:M/Au:N/C:C/I:N/A:N
IBM Aspera Platform On Demand, IBM Aspera Server On Demand, IBM Aspera Faspex On Demand, IBM Aspera Shares On Demand, IBM Aspera Transfer Cluster Manager is affected by the vulnerabilities known as Spectre and Meltdown, which can enable CPU data cache timing to be abused to bypass conventional memory security restrictions to gain access to privileged memory that should be inaccessible.
CVEID: CVE-2017-5753
DESCRIPTION: Intel Haswell Xeon, AMD PRO and ARM Cortex A57 CPUs could allow a local authenticated attacker to obtain sensitive information, caused by a bounds check bypass in the CPU speculative branch instruction execution feature. By conducting targeted cache side-channel attacks, an attacker could exploit this vulnerability to cross the syscall boundary and read data from the CPU virtual memory. CVSS Base Score: 7.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/137052 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N)
CVEID: CVE-2017-5715
DESCRIPTION: Intel Haswell Xeon, AMD PRO and ARM Cortex A57 CPUs could allow a local authenticated attacker to obtain sensitive information, caused by a branch target injection in the CPU speculative branch instruction execution feature. By conducting targeted cache side-channel attacks, an attacker could exploit this vulnerability to leak memory contents into a CPU cache and read host kernel memory. CVSS Base Score: 6.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/137054 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)
CVEID: CVE-2017-5754
DESCRIPTION: Intel Haswell Xeon, AMD PRO and ARM Cortex A57 CPUs could allow a local authenticated attacker to obtain sensitive information, caused by a rogue data cache load in the CPU speculative branch instruction execution feature. By conducting targeted cache side-channel attacks, an attacker could exploit this vulnerability to cause the CPU to read kernel memory from userspace before the permission check for accessing an address is performed. CVSS Base Score: 7.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/137053 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N)
Affected Product Name
|
Affected Versions
—|—
IBM Aspera Platform On Demand| 3.7.3 and prior
IBM Aspera Server On Demand| 3.7.3 and prior
IBM Aspera Faspex On Demand| 3.7.3 and prior
IBM Aspera Shares On Demand| 3.7.3 and prior
IBM Aspera Transfer Cluster Manager| 1.2.4 and prior
Product
| VRMF|APAR|Remediation/First Fix
—|—|—|—
IBM Aspera Platform On Demand| 3.7.4| N/A| <http://downloads.asperasoft.com/en/downloads/54>
IBM Aspera Server On Demand| 3.7.4| N/A| <http://downloads.asperasoft.com/en/downloads/55>
IBM Aspera Faspex On Demand| 3.7.4| N/A| <http://downloads.asperasoft.com/en/downloads/56>
IBM Aspera Shares On Demand| 3.7.4| N/A| <http://downloads.asperasoft.com/en/downloads/57>
IBM Aspera Transfer Cluster Manager| 1.2.5| N/A| Target availability is Q2 2018.
For all affected products, IBM recommends upgrading to a fixed, supported version/release/platform of the product.
**Mitigation -**Meltdown
_IBM Aspera On Demand products _
On Demand images provided by IBM Aspera have CentOS bundled into them and should be updated through the following steps:
On AWS:
1. You may want to create a copy of your current instance as a backup. To do so:
Log in to AWS Console
Select the desired instance
Go to Action -> Image -> Create Image.
2. Connect to your server from a terminal via SSH as root:
# ssh -i [customer’s perm] -p 33001 ec2-user@[ec2 host IP]
# sudo su –
3. Note down your current kernel version
# uname -r
4. Install the patch
_# yum update kernel _
5. Reboot your server_# sudo reboot_
6. Verify your new kernel version is at least 3.10.0-693.11.6.el7.x86_64
# uname -r
On IBM Cloud (Softlayer):
1. Connect to your server from a terminal via SSH as root:
_# ssh centos@[host_IP_address] _
# sudo su –
2. Note down your current kernel version
# uname -r
3. Install the patch
_# yum update kernel _
4. Reboot your server_# sudo reboot_
5. Verify your new kernel version is at least 3.10.0-693.11.6.el7.x86_64
# uname -r
These update steps should be applied to any version up through and including:
· Application Platform On Demand (APOD) - v3.7.3
· Server On Demand (SOD) - v3.7.3
· Shares On Demand (SHOD) - v3.7.3
· Faspex On Demand (FOD) – v3.7.3
· Aspera Transfer Cluster Manager (ATCM) - v1.2.4
Aspera will be providing updated images on all cloud platforms soon; until then, please use the update steps above for your current images. This bulletin will be updated to point to those updated images when they are available.
Mitigation - Spectre
As of this bulletin writing, no OS vendors have yet made available remedies for the Spectre exploit. Fortunately, the Spectre exploit is difficult to accomplish. As OS vendors make available remedies, they should be applied immediately to any OS running beneath Aspera software, and Aspera will immediately apply them in its SaaS offerings and On Demand images.
CPE | Name | Operator | Version |
---|---|---|---|
ibm aspera | eq | any |
5.6 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
4.7 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:M/Au:N/C:C/I:N/A:N