CVE-2022-43847
📋 TL;DR
IBM Aspera Console versions 3.4.0 through 3.4.4 are vulnerable to HTTP header injection due to improper validation of HOST headers. This allows attackers to inject malicious HTTP headers, potentially leading to cross-site scripting, cache poisoning, or session hijacking attacks. Organizations using these vulnerable versions of IBM Aspera Console are affected.
💻 Affected Systems
- IBM Aspera Console
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could hijack user sessions, steal credentials, redirect users to malicious sites, or poison web caches to serve malicious content to multiple users.
Likely Case
Attackers would most likely conduct cross-site scripting attacks to steal session cookies or redirect users to phishing sites.
If Mitigated
With proper input validation and output encoding, the impact would be limited to unsuccessful injection attempts logged by the system.
🎯 Exploit Status
HTTP header injection typically requires minimal technical skill to exploit once the vulnerability is understood.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: IBM Aspera Console 3.4.5 and later
Vendor Advisory: https://www.ibm.com/support/pages/node/7169766
Restart Required: Yes
Instructions:
1. Download IBM Aspera Console version 3.4.5 or later from IBM Fix Central. 2. Backup current configuration and data. 3. Stop the Aspera Console service. 4. Install the updated version. 5. Restart the service. 6. Verify functionality.
🔧 Temporary Workarounds
Web Application Firewall (WAF) Rules
allConfigure WAF rules to block or sanitize malicious HOST header values
Reverse Proxy Filtering
allUse a reverse proxy to validate and sanitize HOST headers before they reach the application
🧯 If You Can't Patch
- Implement strict input validation at network perimeter to filter malicious HOST headers
- Monitor for unusual HTTP header patterns and implement rate limiting on affected endpoints
🔍 How to Verify
Check if Vulnerable:
Check the Aspera Console version via the web interface or configuration files. If version is between 3.4.0 and 3.4.4 inclusive, the system is vulnerable.Check Version:
Check the web interface or examine the application configuration files for version information.Verify Fix Applied:
After patching, verify the version shows 3.4.5 or later. Test with controlled HOST header injection attempts to confirm they are rejected.📡 Detection & Monitoring
Log Indicators:
- Unusual HOST header values in HTTP logs
- Multiple failed injection attempts
- Unexpected redirects or header modifications
Network Indicators:
- HTTP requests with malformed or unusually long HOST headers
- Requests containing script tags or other malicious payloads in headers
SIEM Query:
source="aspera_console" AND (http.host CONTAINS "<script>" OR http.host CONTAINS "javascript:" OR LENGTH(http.host) > 100)