Security Bulletin: IBM Aspera Platform On Demand, IBM Aspera Server On Demand, IBM Aspera Faspex On Demand, IBM Aspera Shares On Demand, IBM Aspera Transfer Cluster Manager is affected by the vulnerabilities known as Spectre and Meltdown.

Summary

IBM Aspera Platform On Demand, IBM Aspera Server On Demand, IBM Aspera Faspex On Demand, IBM Aspera Shares On Demand, IBM Aspera Transfer Cluster Manager is affected by the vulnerabilities known as Spectre and Meltdown, which can enable CPU data cache timing to be abused to bypass conventional memory security restrictions to gain access to privileged memory that should be inaccessible.

Vulnerability Details

CVEID: CVE-2017-5753

DESCRIPTION: Intel Haswell Xeon, AMD PRO and ARM Cortex A57 CPUs could allow a local authenticated attacker to obtain sensitive information, caused by a bounds check bypass in the CPU speculative branch instruction execution feature. By conducting targeted cache side-channel attacks, an attacker could exploit this vulnerability to cross the syscall boundary and read data from the CPU virtual memory. CVSS Base Score: 7.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/137052 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N)

CVEID: CVE-2017-5715

DESCRIPTION: Intel Haswell Xeon, AMD PRO and ARM Cortex A57 CPUs could allow a local authenticated attacker to obtain sensitive information, caused by a branch target injection in the CPU speculative branch instruction execution feature. By conducting targeted cache side-channel attacks, an attacker could exploit this vulnerability to leak memory contents into a CPU cache and read host kernel memory. CVSS Base Score: 6.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/137054 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)

CVEID: CVE-2017-5754

DESCRIPTION: Intel Haswell Xeon, AMD PRO and ARM Cortex A57 CPUs could allow a local authenticated attacker to obtain sensitive information, caused by a rogue data cache load in the CPU speculative branch instruction execution feature. By conducting targeted cache side-channel attacks, an attacker could exploit this vulnerability to cause the CPU to read kernel memory from userspace before the permission check for accessing an address is performed. CVSS Base Score: 7.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/137053 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N)

Affected Products and Versions

Affected Product Name

|

Affected Versions

—|—
IBM Aspera Platform On Demand| 3.7.3 and prior
IBM Aspera Server On Demand| 3.7.3 and prior
IBM Aspera Faspex On Demand| 3.7.3 and prior
IBM Aspera Shares On Demand| 3.7.3 and prior
IBM Aspera Transfer Cluster Manager| 1.2.4 and prior

Remediation/Fixes

Product

| VRMF|APAR|Remediation/First Fix
—|—|—|—
IBM Aspera Platform On Demand| 3.7.4| N/A| <http://downloads.asperasoft.com/en/downloads/54&gt;
IBM Aspera Server On Demand| 3.7.4| N/A| <http://downloads.asperasoft.com/en/downloads/55&gt;
IBM Aspera Faspex On Demand| 3.7.4| N/A| <http://downloads.asperasoft.com/en/downloads/56&gt;
IBM Aspera Shares On Demand| 3.7.4| N/A| <http://downloads.asperasoft.com/en/downloads/57&gt;
IBM Aspera Transfer Cluster Manager| 1.2.5| N/A| Target availability is Q2 2018.

For all affected products, IBM recommends upgrading to a fixed, supported version/release/platform of the product.

Workarounds and Mitigations

**Mitigation -**Meltdown

_IBM Aspera On Demand products _

On Demand images provided by IBM Aspera have CentOS bundled into them and should be updated through the following steps:

On AWS:

1. You may want to create a copy of your current instance as a backup. To do so:

Log in to AWS Console

Select the desired instance

Go to Action -> Image -> Create Image.

2. Connect to your server from a terminal via SSH as root:

# ssh -i [customer’s perm] -p 33001 ec2-user@[ec2 host IP]

# sudo su –

3. Note down your current kernel version

# uname -r

4. Install the patch

_# yum update kernel _

5. Reboot your server_# sudo reboot_

6. Verify your new kernel version is at least 3.10.0-693.11.6.el7.x86_64

# uname -r

On IBM Cloud (Softlayer):

1. Connect to your server from a terminal via SSH as root:

_# ssh centos@[host_IP_address] _

# sudo su –

2. Note down your current kernel version

# uname -r

3. Install the patch

_# yum update kernel _

4. Reboot your server_# sudo reboot_

5. Verify your new kernel version is at least 3.10.0-693.11.6.el7.x86_64

# uname -r

These update steps should be applied to any version up through and including:
· Application Platform On Demand (APOD) - v3.7.3
· Server On Demand (SOD) - v3.7.3
· Shares On Demand (SHOD) - v3.7.3
· Faspex On Demand (FOD) – v3.7.3
· Aspera Transfer Cluster Manager (ATCM) - v1.2.4

Aspera will be providing updated images on all cloud platforms soon; until then, please use the update steps above for your current images. This bulletin will be updated to point to those updated images when they are available.

Mitigation - Spectre

As of this bulletin writing, no OS vendors have yet made available remedies for the Spectre exploit. Fortunately, the Spectre exploit is difficult to accomplish. As OS vendors make available remedies, they should be applied immediately to any OS running beneath Aspera software, and Aspera will immediately apply them in its SaaS offerings and On Demand images.