IBM Aspera Faspex Arbitrary Code Execution Vulnerability (CVE-2022-47986)
Dark Lab on Mar 14 2023
Share:
CVE-2022-47986 is a critical vulnerability in IBM's Aspera Faspex 4.4.2 Patch Level 1 and earlier caused by a YAML deserialisation flaw, which could allow a remote attacker to execute arbitrary code on the compromised system by sending a specially crafted obsolete API call. The vulnerability was added to CISA's Known Exploited Vulnerabilities Catalog on 21 February 2023.
IBM advises users running vulnerable versions to apply the patch as soon as possible, as no further workarounds or mitigations are available.
https://www.ibm.com/support/pages/node/6952319
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
https://nvd.nist.gov/vuln/detail/CVE-2022-47986
https://www.ibm.com/support/pages/node/6952319
https://blog.assetnote.io/2023/02/02/pre-auth-rce-aspera-faspex/ (PoC)
https://github.com/ohnonoyesyes/CVE-2022-47986
IBM advises users running vulnerable versions to apply the patch as soon as possible, as no further workarounds or mitigations are available.
https://www.ibm.com/support/pages/node/6952319
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
https://nvd.nist.gov/vuln/detail/CVE-2022-47986
https://www.ibm.com/support/pages/node/6952319
https://blog.assetnote.io/2023/02/02/pre-auth-rce-aspera-faspex/ (PoC)
https://github.com/ohnonoyesyes/CVE-2022-47986