IBM74AD1910D8ED164AA67F7DB5544EB4AEC49E38FDCC4C1EDEB477EDEB4226EE03Security Bulletin: IBM Aspera Faspex is vulnerable to multiple encryption vulnerabilities.
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
7.4 High
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
13.2%
Summary
IBM Aspera Faspex 5.0.8 has addressed multiple encryption vulnerabilities (CVE-2023-22869, CVE-2023-37396, CVE-2023-27279, CVE-2023-37395, CVE-2023-37397, CVE-2022-40745)
Vulnerability Details
CVEID:CVE-2023-22869
**DESCRIPTION:**IBM Aspera Faspex stores potentially sensitive information in log files that could be read by a local user.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/244119 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID:CVE-2023-37396
**DESCRIPTION:**IBM Aspera Faspex could allow a local user to obtain sensitive information due to improper encryption of certain data.
CVSS Base score: 2.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/259671 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID:CVE-2023-27279
**DESCRIPTION:**IBM Aspera Faspex 5 could allow a user to cause a denial of service due to missing API rate limiting.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/248533 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2023-37395
**DESCRIPTION:**IBM Aspera Faspex could allow a local user to obtain sensitive information due to improper encryption of certain data.
CVSS Base score: 2.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/259669 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID:CVE-2023-37397
**DESCRIPTION:**IBM Aspera Faspex could allow a local user to obtain or modify sensitive information due to improper encryption of certain data.
CVSS Base score: 4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/259672 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)
CVEID:CVE-2022-40745
**DESCRIPTION:**IBM Aspera Faspex 5 could allow a local user to obtain sensitive information due to weaker than expected security.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/236452 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| Aspera Faspex 5 | 5.0.0 - 5.0.7 |
Remediation/Fixes
It is recommended to apply the fix as soon as possible, see link below.
| Product | Fixing VRM | Platform | Link to Fix |
|---|---|---|---|
| IBM Aspera Faspex |
5.0.8
| Linux| click here
Workarounds and Mitigations
None
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm aspera faspex | eq | 5.0.8 | |
| ibm aspera faspex on demand | eq | 3.7 | |
| ibm aspera enterprise on demand | eq | 1.1 | |
| ibm aspera enterprise | eq | 1.0 | |
| ibm aspera | eq | 1.0 |
Related
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
7.4 High
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
13.2%