Lucene search

K
ibmIBM70B67C27D11C914662D2A0819F63604D4F6B869B0849263773FD48E942D1344E
HistorySep 30, 2021 - 8:07 p.m.

Security Bulletin: IBM Aspera High-Speed Transfer Server, Endpoint, and Desktop Client are vulnerable to libcurl vulnerabilities (CVE-2021-22901, CVE-2021-22898)

2021-09-3020:07:53
www.ibm.com
5

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.032 Low

EPSS

Percentile

89.7%

Summary

The following libcurl security vulnerabilities have been addressed for Aspera High-Speed Tranfer Server (HSTS) , Aspera High-Speed Transfer Endpoint (HSTE), and Deskstop Client.

Vulnerability Details

CVEID:CVE-2021-22901
**DESCRIPTION:**cURL libcurl could allow a remote attacker to execute arbitrary code on the system, caused by a flaw when a new TLS session is negotiated or a client certificate is requested on an existing connection. By persuading a victim to visit a specially-crafted Web site, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/202563 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

CVEID:CVE-2021-22898
**DESCRIPTION:**cURL libcurl could allow a remote attacker to obtain sensitive information, caused by a flaw in the option parser for sending NEW_ENV variables. By sending a specially-crafted request using a clear-text network protocol, an attacker could exploit this vulnerability to obtain sensitive internal information to the server, and use this information to launch further attacks against the affected system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/202562 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Aspera Desktop Client 4.1 and earlier
IBM Aspera High-Speed Transfer Server 4.1 and earlier
IBM Aspera High-Speed Transfer Endpoint 4.1 and earlier

Remediation/Fixes

Fixed in Version(s)
IBM Aspera Desktop Client 4.2
IBM Aspera High-Speed Transfer Server 4.2
IBM Aspera High-Speed Transfer Endpoint 4.2

Workarounds and Mitigations

None

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.032 Low

EPSS

Percentile

89.7%

Related for 70B67C27D11C914662D2A0819F63604D4F6B869B0849263773FD48E942D1344E