CVE-2022-47986

Name of the Vulnerable Software and Affected Versions IBM Aspera Faspex versions 4.4.2 Patch Level 1 and earlier

Description The issue is related to a YAML deserialization flaw, allowing a remote attacker to execute arbitrary code on the system by sending a specially crafted obsolete API call. The obsolete API call was removed in Faspex 4.4.2 PL2. This flaw can be exploited to execute arbitrary code on the system.

Recommendations For IBM Aspera Faspex versions 4.4.2 Patch Level 1 and earlier, update to Faspex 4.4.2 Patch Level 2 to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable /package relay/relay package API endpoint until a patch is available.