5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
Security Bulletin: SSLv2 DROWN Vulnerability (CVE-2016-0800)
A vulnerability has been found in the SSLv2 protocol which affects older versions of Aspera products. Newer versions of Aspera products no longer support SSLv2 and so are not affected by this vulnerability. The best solution therefore is to upgrade your products.
The DROWN (Decrypting RSA using Obsolete and Weakened Encryption) is a cross-protocol attack that can be used to decrypt RSA cipher text. This vulnerability affects all implementations of SSLv2.
Note: All of these products have newer versions where SSLv2 is disabled and thus in which this vulnerability is no longer an issue.
If you are not able to upgrade your product to address this issue you can simply disable SSLv2 yourself in order to secure your product against this vulnerability. Follow the configuration instructions below for your product.
Modify the configuration file at the following location:
/opt/aspera/common/apache/conf/extra/httpd-ssl.conf
C:\Program Files (x86)\Common Files\Aspera\Common\apache\conf\extra\httpd-ssl.conf
Modify or add the SSLProtocol
configuration to exclude SSLv2 as shown below:
SSLProtocol all -SSLv2 -SSLv3
Modify the configuration file at the following location:
/opt/aspera/shares/etc/nginx/nginx.conf
C:\Shares\nginx\conf\nginx.conf
Modify or add the ssl_protocols
configuration so that SSLv2 is not included as shown below:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
Modify the configuration file at the following location:
/opt/aspera/etc/aspera.conf
C:\Program Files (x86)/Aspera/product_name\etc\aspera.conf
/Library/Aspera/etc/aspera.conf
Modify or add the <ssl_protocol>
configuration which is found in the <server>
section to match the following:
<ssl_protocol>tlsv1</ssl_protocol>
[{“Business Unit”:{“code”:“BU053”,“label”:“Cloud & Data Platform”},“Product”:{“code”:“SS8NDZ”,“label”:“IBM Aspera”},“Component”:“”,“Platform”:[{“code”:“PF025”,“label”:“Platform Independent”}],“Version”:“All Versions”,“Edition”:“”,“Line of Business”:{“code”:“LOB45”,“label”:“Automation”}}]
CPE | Name | Operator | Version |
---|---|---|---|
ibm aspera | eq | any |
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N