Security Bulletin: OpenSSL vulnerabilites (CVE-2019-1563, CVE-2019-1547) impacting IBM Aspera High-Speed Transfer Server 3.9.1, Aspera High-Speed Transfer Endpoint, Aspera Desktop Client 3.9.1 and earlier

Summary

OpenSSL vulnerabilites (CVE-2019-1563, CVE-2019-1547) impacting IBM Aspera High-Speed Transfer Server 3.9.1, Aspera High-Speed Transfer Endpoint 3.9.1, Aspera Desktop Client 3.9.1 and earlier. The fix is delivered in IBM Aspera High-Speed Transfer Server 3.9.6, Aspera High-Speed Transfer Endpoint 3.9.6, Aspera Desktop Client 3.9.6.

Vulnerability Details

CVEID:CVE-2019-1563
**DESCRIPTION:**OpenSSL could allow a remote attacker to obtain sensitive information, caused by a padding oracle attack in PKCS7_dataDecode and CMS_decrypt_set1_pkey. By sending an overly large number of messages to be decrypted, an attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/167022 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2019-1547
**DESCRIPTION:**OpenSSL could allow a local authenticated attacker to obtain sensitive information, caused by the ability to construct an EC group missing the cofactor using explicit parameters instead of using a named curve. An attacker could exploit this vulnerability to obtain full key recovery during an ECDSA signature operation.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/167020 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

Workarounds and Mitigations

None