IBM Aspera Faspex YAML deserialization

Added: 04/13/2023

Background

IBM Aspera Faspex is a centralized, high-speed transfer solution using the FASP protocol.

Problem

A YAML deserialization vulnerability allows remote attackers to execute arbitrary commands by sending a POST request for relay_package with specially crafted JSON content.

Resolution

Upgrade to Faspex 4.4.2 PL2 or higher.

References

https://www.ibm.com/support/pages/node/6952319

Limitations

Exploit works on Linux targets.

Platforms

Linux

Back to exploit index