Aspera Security Vulnerability
On April 24th, IBM announced what they are calling a Buffer Overflowvulnerability in the aspshell executable of Aspera. This vulnerability effects all versions of the High-Speed Transfer Server prior to version 3.9.6.1, all versions of the High-Speed Endpoint prior to version 3.9.6.1, and all versions of the Aspera Proxy prior to version 1.4.4.1.
If you are running any affected versions of Aspera, you should immediately upgrade or apply the vulnerability patch.
Sections
To Install the Patch on Linux
Download the patch from here.
Simply copy/replace the new aspshell file over the existing aspshell at /opt/aspera/bin
cp /path/to/downloaded/aspshell /opt/aspera/bin
chmod 0755 /opt/aspera/bin/aspshell
chown root:root /opt/aspera/bin/aspshell
Validate the checksum on the new aspshell binary
sha256sum /opt/aspera/bin/aspshell
Ensure the checksum results in:
cf9b6de9f6e5eff03dae1beb86aa5a53b038b014d2304b1a6f2dd293342f9d9f
To Install the Patch on Windows
Download the patch from here.
Simply copy/replace the new aspshell file over the existing aspshell.
For the High-Speed Transfer Server, aspshell is located at: “%PROGRAMFILES%\Aspera\Enterprise Server\bin\”
For the High-Speed Transfer Endpoint, aspshell is located at: “%PROGRAMFILES%\Aspera\Point-to-Point\bin\aspshell C:\ProgramData\”
copy path_to_downloaded_aspshell “%PROGRAMFILES%\Aspera\Enterprise Server\bin\”
Validate the checksum on the new aspshell binary
certutil -hashfile path_to_downloaded_aspshell.exe SHA256
Ensure the checksum results in:
4f1e68895bb10b936d574557f8dab888f1201e5e5d859aec9789d07f2ccc8da9
More Information
For more information, see the Security Bulletin on IBM’s website
