CVE-2022-47986: 
IBM Aspera Faspex vulnerability analysis and mitigation

CVE-2022-47986 is a critical pre-authentication YAML deserialization vulnerability affecting IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier versions. The vulnerability was discovered by Max Garrett from Assetnote and disclosed to IBM in October 2022. IBM published an advisory on January 26, 2023, and the vulnerability was assigned a CVSS score of 9.8 (IBM Advisory, Rapid7).

The vulnerability is caused by a YAML deserialization flaw in Ruby on Rails code that can be triggered by sending a specially crafted obsolete API call to the system. The vulnerable endpoint is located at /packagerelay/relaypackage and processes user-controlled input through an unsafe YAML.load function, allowing for arbitrary class instantiation (Assetnote).

Successful exploitation of this vulnerability allows remote attackers to execute arbitrary code on the target system with the privileges of the application. Since Aspera Faspex is typically installed on the network perimeter and handles sensitive file transfers, compromise could lead to unauthorized access to privileged information and system control (Rapid7).

Organizations are strongly advised to upgrade to IBM Aspera Faspex 4.4.2 Patch Level 2 or later versions, which removes the vulnerable obsolete API call. Due to active exploitation, patching should be treated as an emergency priority without waiting for regular patch cycles (IBM Advisory, Rapid7).

Security researchers and organizations have emphasized the critical nature of this vulnerability, particularly due to its pre-authentication nature and the sensitive nature of data typically handled by Aspera Faspex installations. Multiple security firms have reported ongoing exploitation attempts and compromises, leading to its inclusion in CISA's Known Exploited Vulnerabilities catalog (Help Net Security).