This Security Bulletin addresses security vulnerabilities that have been remediated (CVE-2023-27871, CVE-2023-27873) and mitigated (CVE-2023-27874) in IBM Aspera Faspex 4.4.2 PL3.
CVEID:CVE-2023-27874
**DESCRIPTION:**IBM Aspera is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote authenticated attacker could exploit this vulnerability to execute arbitrary commands.
CVSS Base score: 9.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/249845 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
CVEID:CVE-2023-27871
**DESCRIPTION:**IBM Aspera Faspex could allow a remote attacker to obtain sensitive credential information for an external user, using a specially crafted SQL query.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/249613 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID:CVE-2023-27873
**DESCRIPTION:**IBM Aspera Faspex could allow a remote authenticated attacker to obtain sensitive credential information using specially crafted XML input.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/249654 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
IBM Aspera Faspex 4.4.2 PL2 and earlier versions.
It is recommended that customers take one of the following actions as soon as possible:
1. Upgrade to Faspex v5. Given the impending end of service of Version 4 later this year, this is an important action all customers should take.
Faspex 5.0.4 can be downloaded from here. Installation instructions can be found here.
2. Apply the latest version 4 patch - 4.4.2 PL3, see links below.
Product(s) | Fixing VRM | Platform | Link to Fix |
---|---|---|---|
IBM Aspera Faspex |
4.4.2 PL3
| Windows| click here
IBM Aspera Faspex|
4.4.2 PL3
| Linux| click here
This fix mitigates CVE-2023-27874.