Security Bulletin: Aspera Applications are affected by an OpenSSL vulnerability (CVE-2016-8610)

Security Bulletin

 

Summary 

Aspera Applications has addressed the following OpenSSL vulnerability.

 

Vulnerability Details

CVEID: CVE-2016-8610
DESCRIPTION: SSL/TLS protocol is vulnerable to a denial of service, caused by an error when processing ALERT packets during a SSL handshake. By sending specially-crafted packets, a remote attacker could exploit this vulnerability to cause the application to stop responding.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/118296 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

 

Affected Products and Versions

  • IBM Aspera Application Platform on Demand 3.6.0
  • IBM Aspera Azure on Demand 3.6.0
  • IBM Aspera Connect Server 3.6.3
  • IBM Aspera Console Application 3.1.1
  • IBM Aspera Enterprise Server 3.6.3
  • IBM Aspera Faspex Application (Windows) 4.0.3
  • IBM Aspera faspex on Demand 6.0
  • IBM Aspera FaspStream 3.7.0
  • IBM Aspera Orchestrator (Windows) 2.6.1
  • IBM Aspera Point to Point Client 3.6.3
  • IBM Aspera Proxy 1.4.0
  • IBM Aspera Server on Demand 6.0
  • IBM Aspera Sync (Mac) 3.5.3
  • IBM Aspera Transfer Cluster Manager with AutoScale 3.6.0
  • IBM Aspera Virtual Catcher (Windows) 2.4.5

 

Remediation/Fixes

Product

VRMF

APAR

Remediation / First Fix

IBM Aspera Console Application

3.2.0 or higher

None

http://downloads.asperasoft.com/en/downloads/3

IBM Aspera Faspex Application (Windows)

4.1.0 or higher

None

http://downloads.asperasoft.com/en/downloads/6

IBM Aspera Orchestrator (Windows)

2.7.1 or higher

None

http://downloads.asperasoft.com/en/downloads/27

IBM Aspera Virtual Catcher (Windows)

3.0.2 or higher

None

http://downloads.asperasoft.com/en/downloads/51

IBM Aspera Transfer Cluster Manager with AutoScale

1.2.3 or higher

None

http://downloads.asperasoft.com/en/downloads/53

IBM Aspera faspex on Demand

3.7.3 or higher

None

http://downloads.asperasoft.com/en/downloads/56

IBM Aspera Application Platform on Demand

3.7.3 or higher

None

http://downloads.asperasoft.com/en/downloads/54

IBM Aspera Server on Demand

3.7.3 or higher

None

http://downloads.asperasoft.com/en/downloads/55

IBM Aspera Azure on Demand

3.7.2 or higher

None

Available on Azure Marketplace

IBM Aspera Enterprise Server

3.7.4 or higher

None

http://downloads.asperasoft.com/en/downloads/1

IBM Aspera Connect Server 

3.7.4 or higher

None

http://downloads.asperasoft.com/en/downloads/4

IBM Aspera Point to Point Client 

3.7.4 or higher

None

http://downloads.asperasoft.com/en/downloads/7

IBM Aspera FaspStream 

3.7.2 or higher

None

http://downloads.asperasoft.com/en/downloads/60

IBM Aspera Proxy

1.4.1 or higher

None

http://downloads.asperasoft.com/en/downloads/42

IBM Aspera Sync (Mac) 

3.7.4 or higher

None

http://downloads.asperasoft.com

 

Workarounds and Mitigations

There is no plan for interim workarounds/mitigations.

 

Important note: IBM strongly suggests that all System z customers subscribe to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.

 

References 

Complete CVSS v3 Guide

On-line Calculator v3

 

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

 

Change History

2 October 2017: Original version published

 

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

 

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk