Security Bulletin: IBM Aspera High-Speed Transfer Server and Aspera High-Speed Transfer Endpoint has addressed multiple security vulnerabilities (CVE-2022-27774, CVE-2022-27775, CVE-2022-27776)

Summary

This Security Bulletin addresses security vulnerabilities that have been remediated in IBM Aspera High-Speed Transfer Server 4.4.1 and Aspera High-Speed Transfer Endpoint 4.4.1

Vulnerability Details

CVEID:CVE-2022-27774
**DESCRIPTION:**cURL libcurl could allow a remote attacker to obtain sensitive information, caused by a flaw in the “same host check” feature during a cross protocol redirects. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain credentials information, and use this information to launch further attacks against the affected system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/225294 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2022-27776
**DESCRIPTION:**cURL libcurl could allow a remote attacker to obtain sensitive information, caused by a flaw when asked to send custom headers or cookies in its HTTP requests. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain authentication or cookie header data information, and use this information to launch further attacks against the affected system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/225296 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2022-27775
**DESCRIPTION:**cURL libcurl could allow a remote attacker to obtain sensitive information, caused by a logic error in the config matching function. By sending a specially-crafted request using IPv6, an attacker could exploit this vulnerability to cause libcurl to reuse the wrong connection to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/225295 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

Affected Products and Versions

IBM Aspera High-Speed Transfer Server 4.4.0 and earlier
IBM Aspera High-Speed Transfer Endpoint 4.4.0 and earlier

Remediation/Fixes

The fix for this set of vulnerabilities was delivered in IBM Aspera High-Speed Transfer Server V4.4.1 and IBM Aspera High-Speed Transfer Endpoint V4.4.1. The recommended solution is to apply the fix as soon as possible:

4.4.1

| AIX| click here
IBM Aspera High-Speed Transfer Server|

4.4.1

| Linux| click here
IBM Aspera High-Speed Transfer Server|

4.4.1

| Linux PPC| click here
IBM Aspera High-Speed Transfer Server|

4.4.1

| Linux zSeries| click here
IBM Aspera High-Speed Transfer Server|

4.4.1

| Mac OSX| click here
IBM Aspera High-Speed Transfer Server|

4.4.1

| Windows| click here
IBM Aspera High-Speed Transfer Endpoint|

4.4.1

| AIX| click here
IBM Aspera High-Speed Transfer Endpoint|

4.4.1

| Linux| click here
IBM Aspera High-Speed Transfer Endpoint|

4.4.1

| Linux PPC| click here
IBM Aspera High-Speed Transfer Endpoint|

4.4.1

| Linux zSeries| click here
IBM Aspera High-Speed Transfer Endpoint|

4.4.1

| Mac OSX| click here
IBM Aspera High-Speed Transfer Endpoint|

4.4.1

| Windows| click here

Workarounds and Mitigations

None