Lucene search

IBMD24AA42D868CD48AF6FD035BA0C030FEE977BEF55E33FCBB032EADC43BADD356

HistoryJul 24, 2024 - 10:47 p.m.

Security Bulletin: IBM Aspera Orchestrator improved security for user session handling (CVE-2023-26288, CVE-2023-38001)

2024-07-2422:47:49

www.ibm.com

ibm aspera orchestrator

security bulletin

user session handling

cve-2023-38001

cross-site request forgery

cve-2023-26288

session invalidation

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

AI Score

7.6

Confidence

Low

EPSS

Percentile

13.7%

JSON

Summary

IBM Aspera Orchestrator has addressed multiple vulnerabilities related to user session handling.

Vulnerability Details

CVEID:CVE-2023-38001
**DESCRIPTION:**IBM Aspera Orchestrator is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/260206 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)

CVEID:CVE-2023-26288
**DESCRIPTION:**IBM Aspera Orchestrator does not invalidate session after a password change which could allow an authenticated user to impersonate another user on the system.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/248477 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Aspera Orchestrator	4.0.1 and prior versions

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by applying the below fix as soon as possible:

Product	Version	Platform	Link to Fix
IBM Aspera Orchestrator	4.0.1 PL3	Linux	click here

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmaspera_server_on_demandMatch1.0

ibmaspera_faspexMatch1.0

ibmaspera_server_on_demandMatch1.0

ibmaspera_faspexMatch1.0

ibmaspera_orchestratorMatch4.0.0

ibmaspera_orchestratorMatch4.0.1

VendorProductVersionCPE
ibmaspera_server_on_demand1.0cpe:2.3:a:ibm:aspera_server_on_demand:1.0:*:*:*:*:*:*:*
ibmaspera_faspex1.0cpe:2.3:a:ibm:aspera_faspex:1.0:*:*:*:*:*:*:*
ibmaspera_orchestrator4.0.0cpe:2.3:a:ibm:aspera_orchestrator:4.0.0:*:*:*:*:*:*:*
ibmaspera_orchestrator4.0.1cpe:2.3:a:ibm:aspera_orchestrator:4.0.1:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	aspera_server_on_demand	1.0	cpe:2.3:a:ibm:aspera_server_on_demand:1.0:::::::*
ibm	aspera_faspex	1.0	cpe:2.3:a:ibm:aspera_faspex:1.0:::::::*
ibm	aspera_orchestrator	4.0.0	cpe:2.3:a:ibm:aspera_orchestrator:4.0.0:::::::*
ibm	aspera_orchestrator	4.0.1	cpe:2.3:a:ibm:aspera_orchestrator:4.0.1:::::::*

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

AI Score

7.6

Confidence

Low

EPSS

Percentile

13.7%

JSON

Related for D24AA42D868CD48AF6FD035BA0C030FEE977BEF55E33FCBB032EADC43BADD356