IBM Aspera High-Speed Transfer Endpoint 3.7.4 through 4.4.7 Fix Pack 1 and IBM Aspera High-Speed Transfer Server 3.7.4 through 4.4.7 Fix Pack 1 and IBM Aspera High-Speed Transfer Endpoint are affected by a buffer overflow in the asperahttpd component. This vulnerability could be exploited to cause a denial of service and potentially lead to authentication bypass or remote code execution.
The vulnerability classified as CWE-122 (heap-based buffer overflow) occurs in the asperahttpd component responsible for handling HTTP requests in IBM Aspera products. An attacker can send a specially crafted network request that causes a heap buffer overflow. Memory overwriting can lead to process destabilization (DoS), authentication mechanism bypass, or seizure of control over code execution on the server.
An attacker requiring no authentication can remotely cause service unavailability, bypass authentication mechanisms, or gain full control over the system through remote code execution (RCE). The vulnerability has a critical impact on the confidentiality, integrity, and availability of the system.
Apply patches available from the vendor according to references: https://www.ibm.com/support/pages/node/7273615. Urgent update to a patched version is recommended, and network access to the asperahttpd component should be restricted to trusted hosts only until the patch is applied.
IBM Aspera High-Speed Transfer Endpoint in versions 3.7.4 through 4.4.7 Fix Pack 1 and IBM Aspera High-Speed Transfer Server in versions 3.7.4 through 4.4.7 Fix Pack 1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HIBM Aspera High Speed Transfer Endpoint
APPIbm4.4.73.7.4 – 4.4.6IBM Aspera High Speed Transfer Server
APPIbm4.4.73.7.4 – 4.4.6
Related vulnerabilities
IBM Aspera High-Speed Transfer Endpoint 3.7.4 through 4.4.7 Fix Pack 1 and IBM Aspera High-Speed Transfer Serv...
IBM Aspera High-Speed Transfer Endpoint 3.7.4 through 4.4.7 Fix Pack 1 and IBM Aspera High-Speed Transfer Serv...
Certain IBM Aspera applications are vulnerable to buffer overflow based on the product configuration and valid...
Certain IBM Aspera applications are vulnerable to arbitrary memory corruption based on the product configurati...
Certain IBM Aspera applications are vulnerable to buffer overflow after valid authentication, which could allo...