Lucene search

K
ibmIBM95B6630FBA89FAC834A047D575BE828D2F65D8E01A39BBA3A8D9FDD126ED9C21
HistoryFeb 02, 2023 - 4:36 p.m.

Security Bulletin: IBM Aspera High-Speed Transfer Server and Aspera High-Speed Transfer Endpoint has addressed multiple security vulnerabilities (CVE-2022-27774, CVE-2022-27775, CVE-2022-27776)

2023-02-0216:36:32
www.ibm.com
33
ibm aspera high-speed transfer server
ibm aspera high-speed transfer endpoint
cve-2022-27774
cve-2022-27775
cve-2022-27776
curl
libcurl
sensitive information
remote attacker
vulnerability
fix

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.003

Percentile

68.9%

Summary

This Security Bulletin addresses security vulnerabilities that have been remediated in IBM Aspera High-Speed Transfer Server 4.4.1 and Aspera High-Speed Transfer Endpoint 4.4.1

Vulnerability Details

CVEID:CVE-2022-27774
**DESCRIPTION:**cURL libcurl could allow a remote attacker to obtain sensitive information, caused by a flaw in the โ€œsame host checkโ€ feature during a cross protocol redirects. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain credentials information, and use this information to launch further attacks against the affected system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/225294 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2022-27776
**DESCRIPTION:**cURL libcurl could allow a remote attacker to obtain sensitive information, caused by a flaw when asked to send custom headers or cookies in its HTTP requests. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain authentication or cookie header data information, and use this information to launch further attacks against the affected system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/225296 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2022-27775
**DESCRIPTION:**cURL libcurl could allow a remote attacker to obtain sensitive information, caused by a logic error in the config matching function. By sending a specially-crafted request using IPv6, an attacker could exploit this vulnerability to cause libcurl to reuse the wrong connection to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/225295 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

Affected Products and Versions

IBM Aspera High-Speed Transfer Server 4.4.0 and earlier
IBM Aspera High-Speed Transfer Endpoint 4.4.0 and earlier

Remediation/Fixes

The fix for this set of vulnerabilities was delivered in IBM Aspera High-Speed Transfer Server V4.4.1 and IBM Aspera High-Speed Transfer Endpoint V4.4.1. The recommended solution is to apply the fix as soon as possible:

Product(s) Fixing VRM Platform Link to Fix
IBM Aspera High-Speed Transfer Server

4.4.1

| AIX| click here
IBM Aspera High-Speed Transfer Server|

4.4.1

| Linux| click here
IBM Aspera High-Speed Transfer Server|

4.4.1

| Linux PPC| click here
IBM Aspera High-Speed Transfer Server|

4.4.1

| Linux zSeries| click here
IBM Aspera High-Speed Transfer Server|

4.4.1

| Mac OSX| click here
IBM Aspera High-Speed Transfer Server|

4.4.1

| Windows| click here
IBM Aspera High-Speed Transfer Endpoint|

4.4.1

| AIX| click here
IBM Aspera High-Speed Transfer Endpoint|

4.4.1

| Linux| click here
IBM Aspera High-Speed Transfer Endpoint|

4.4.1

| Linux PPC| click here
IBM Aspera High-Speed Transfer Endpoint|

4.4.1

| Linux zSeries| click here
IBM Aspera High-Speed Transfer Endpoint|

4.4.1

| Mac OSX| click here
IBM Aspera High-Speed Transfer Endpoint|

4.4.1

| Windows| click here

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmaspera_high-speed_transfer_endpointMatch4.0.0
CPENameOperatorVersion
aspera high-speed synceq4.0.0

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.003

Percentile

68.9%