{ "document": { "category": "csaf_security_advisory", "csaf_version": "2.0", "tracking": { "current_release_date": "2022-07-21T18:00:00.000Z", "id": "ARUBA-PSA-2022-010", "initial_release_date": "2022-05-17T18:00:00.000Z", "status": "final", "version": "4", "revision_history": [ { "date": "2022-05-17T17:00:00.000Z", "number": "1", "summary": "Initial release" }, { "number": "2", "date": "2022-06-01T17:00:00.000Z", "summary": "ClearPass Policy Manager information\n added. EdgeConnect Enterprise\n Orchestrator Cloud products moved to\n unaffected." }, { "date": "2022-07-07T17:00:00.000Z", "number": "3", "summary": "AOS-CX information added." }, { "date": "2022-07-21T17:00:00.000Z", "number": "4", "summary": "Aruba Location Engine information added.\n Aruba Central On-Premises information \n added.\n Aruba Virtual Intranet Access (VIA) \n information added.\n ArubaOS Wi-Fi Controllers and Gateways \n information added\n ArubaOS SD-WAN Gateways information added \n Removed products under investigation section\n Marked status as confirmed" } ] }, "publisher": { "category": "vendor", "namespace": "https://www.arubanetworks.com/support-services/sirt/", "name": "HPE Aruba Networking", "issuing_authority": "Aruba’s Security Incident Response Team (SIRT) is responsible for receiving, tracking, managing, and disclosing vulnerabilities in Aruba products. The Aruba SIRT actively works with industry, non-profit, government organizations, and the security community when vulnerabilities are reported. A security vulnerability is defined as any weakness in a product that allows an attacker to compromise the confidentiality, integrity, or availability of a product, customer infrastructure, or IT system through an Aruba product in that environment.", "contact_details": "Email: sirt@arubanetworks.com - For further details please see https://www.arubanetworks.com/support-services/sirt/" }, "lang": "en-US", "title": "Multiple Vulnerabilities in Expat XML processing library", "notes": [ { "category": "summary", "text": "Multiple CVEs have been disclosed that involve the faulty\nhandling of XML input by the Expat application and library. These\nCVEs impact multiple Aruba products.\n\nDetails can be found at: \nhttps://nvd.nist.gov/vuln/detail/CVE-2022-25235 \nhttps://nvd.nist.gov/vuln/detail/CVE-2022-25236 \nhttps://nvd.nist.gov/vuln/detail/CVE-2022-25313 \nhttps://nvd.nist.gov/vuln/detail/CVE-2022-25314 \nhttps://nvd.nist.gov/vuln/detail/CVE-2022-25315 \n ", "title": "Summary" }, { "category": "general", "title": "Affected Products", "text": " - AirWave Management Platform \n - 8.2.14.0 and below\n\n - Aruba Analytics and Location Engine \n - 2.2.0.2 and below\n\n - Aruba Fabric Composer (AFC) and Plexxi Composable Fabric Manager (CFM) \n - 6.2.0 and below\n\n - Aruba Central On-Premises \n -2.5.4.x and below\n\n - Aruba ClearPass Policy Manager\n - 6.10.4 and below\n - 6.9.10 and below\n - 6.8.9 without Hotfix for Q1 2022 Security issues\n\n - ArubaOS-CX Switches\n - 10.09.1030 and below\n - 10.08.1060 and below\n - 10.07.0070 and below\n - 10.06.0200 and below\n\n - ArubaOS Wi-Fi Controllers and Gateways \n - ArubaOS SD-WAN Gateways\n - Please note that this only affected controllers and\n gateways based on the x86 architecture\n This includes the following models\n - Aruba 9000 Series Controllers\n - Aruba 9200 Series Controllers\n - Aruba Virtual Mobility Controllers\n - Aruba Virtual and Hardware-based Mobility Conductors\n -The affected code versions are as follows\n - ArubaOS 8.6.x: 8.6.0.18 and below\n - ArubaOS 8.7.x: 8.7.1.9 and below\n - ArubaOS 8.10.x: 8.10.0.2 and below\n - ArubaOS 10.3.x: 10.3.1.0 and below\n - SDWAN 2.X: 8.7.0.0-2.3.0.7 and below\n\n - Aruba EdgeConnect Enterprise\n - ECOS 9.1.1.3 and below\n - ECOS 9.0.6.0 and below\n - ECOS 8.3.6.0 and below\n - Impact of this vulnerability on ECOS is very low. \n \n - Aruba EdgeConnect Enterprise Orchestrator (on-premises)\n - See resolution section for details\n\n - Aruba Virtual Intranet Access (VIA)\n - Affects macOS/OSX versions only. Others are unaffected\n - 4.3.0 and below" }, { "category": "general", "title": "Unaffected Products", "text": " - Aruba Instant / Aruba Instant Access Points \n - Aruba Instant On \n - Aruba IntroSpect \n - Aruba NetEdit \n - Aruba User Experience Insight (UXI) \n - ArubaOS-S Switches\n - Aruba EdgeConnect Enterprise Orchestrator-as-a-Service\n - Aruba EdgeConnect Enterprise Orchestrator-SP\n - Aruba EdgeConnect Enterprise Orchestrator Global Enterprise \n\nOther Aruba products not listed above are also not known to be \naffected by these vulnerabilities. " }, { "category": "other", "title": "Exploitation and Public Discussion", "text": "These vulnerabilities are being widely discussed in public. \nAruba is not aware of any exploitation tools or techniques that \nspecifically target Aruba products. " }, { "category": "general", "title": "Aruba SIRT Security Procedures", "text": "Complete information on reporting security vulnerabilities in HPE\nAruba Networking products and obtaining assistance with security\nincidents is available at:\n\nhttps://www.arubanetworks.com/support-services/security-bulletins/\n\nFor reporting *NEW* HPE Aruba Networking security issues, email\ncan be sent to aruba-sirt(at)hpe.com. For sensitive information\nwe encourage the use of PGP encryption. Our public keys can be\nfound at:\n\nhttps://www.arubanetworks.com/support-services/security-bulletins/" }, { "category": "legal_disclaimer", "text": "(c) Copyright 2023 by Hewlett Packard Enterprise Development LP. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information.", "title": "Legal Disclaimer" } ], "aggregate_severity": { "text": "Critical", "namespace": "https://www.first.org/cvss/v3.1/specification-document#Qualitative-Severity-Rating-Scale" }, "references": [ { "summary": "Original Advisory", "url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-010.txt" }, { "summary": "HPE Aruba Networking Security Advisory Archive", "url": "https://www.arubanetworks.com/support-services/security-bulletins/" }, { "summary": "HPE Aruba Networking Product Security Incident Response Policy", "url": "https://www.arubanetworks.com/support-services/sirt/" } ], "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } } }, "vulnerabilities": [ { "title": "Multiple Vulnerabilities in Expat XML processing library", "notes": [ { "category": "details", "text": "Vulnerabilities have been identified in a commonly used \n component in multiple Aruba products. These vulnerabilities \n allow attackers to use specially crafted XML input to \n potentially cause denial of service conditions or remote code \n execution. \n\n Details can be found at: \n https://nvd.nist.gov/vuln/detail/CVE-2022-25235\n https://nvd.nist.gov/vuln/detail/CVE-2022-25236\n https://nvd.nist.gov/vuln/detail/CVE-2022-25313\n https://nvd.nist.gov/vuln/detail/CVE-2022-25314\n https://nvd.nist.gov/vuln/detail/CVE-2022-25315\n\n Internal references: ATLCP-191, ATLAX-60, ATLWL-293, \n ATLWL-183, ATLWL-292, ATLWL-192, \n ATLSP-1 \n\n CVSS Vectors and Scores provided by NVD as follows:\t \n CVE-2022-25235 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - 9.8 critical \n CVE-2022-25236 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - 9.8 critical \n CVE-2022-25313 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H - 6.5 medium \n CVE-2022-25314 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - 7.5 high \n CVE-2022-25315 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - 9.8 critical \n\n Aruba Threat Labs analyzed and tested these vulnerabilities \n in the products using the affected component. What has been \n found is that exploitation of this vulnerability is not \n straightforward and dependent upon many factors that an \n attacker may not be able to control. \n\n Aruba has chosen to keep the NVD provided severity scores as a \n reference. The impact on products using the affected component \n is very low based on ongoing testing. ", "title": "Details" }, { "category": "other", "title": "Internal Reference", "text": "ATLCP-191, ATLAX-60, ATLWL-293, \n ATLWL-183, ATLWL-292, ATLWL-192, \n ATLSP-1 " } ], "product_status": { "fixed": [ "8.2.14.1_airwave", "2.2.0.3_ALE", "6.2.1_AFC", "6.10.5_cppm", "6.9.11", "6.8.9_Hotfix_1_for_Security_issues_CPPM", "10.10.002_AOSCX", "10.09.1031_AOSCX", "10.08.1070_AOSCX", "10.07.0080_AOSCX", "10.06.0210_AOSCX", "8.6.0.19_AOS", "8.7.1.10_AOS", "8.10.0.3_AOS", "10.3.1.1_AOS" ], "known_affected": [ "<=8.2.14.0_airwave", "<=2.2.0.2_ALE", "<=6.2.0_AFC", "<=2.5.4.x_COP", "<=6.10.4_CPPM", "<=10.06.0200_AOSCX", "<=10.07.0070_AOSCX", "<=10.08.1060_AOSCX", "<=10.09.1030_AOSCX", "<=8.6.0.18_AOS", "<=8.7.1.9_AOS", "<=8.10.0.2_AOS", ">=10.3.0.0|<=10.3.1.0_AOS", "<=4.3.0_via" ] }, "scores": [ { "cvss_v3": { "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "version": "3.1", "baseScore": 9.8, "baseSeverity": "CRITICAL", "temporalScore": 9.8, "temporalSeverity": "CRITICAL", "environmentalScore": 9.8, "environmentalSeverity": "CRITICAL" }, "products": [ "<=8.2.14.0_airwave", "<=2.2.0.2_ALE", "<=6.2.0_AFC", "<=2.5.4.x_COP", "<=6.10.4_CPPM", "<=10.06.0200_AOSCX", "<=10.07.0070_AOSCX", "<=10.08.1060_AOSCX", "<=10.09.1030_AOSCX", "<=8.6.0.18_AOS", "<=8.7.1.9_AOS", "<=8.10.0.2_AOS", ">=10.3.0.0|<=10.3.1.0_AOS", "<=4.3.0_via" ] } ], "remediations": [ { "product_ids": [ "8.2.14.1_airwave", "2.2.0.3_ALE", "6.2.1_AFC", "6.10.5_cppm", "6.9.11", "6.8.9_Hotfix_1_for_Security_issues_CPPM", "10.10.002_AOSCX", "10.09.1031_AOSCX", "10.08.1070_AOSCX", "10.07.0080_AOSCX", "10.06.0210_AOSCX", "8.6.0.19_AOS", "8.7.1.10_AOS", "8.10.0.3_AOS", "10.3.1.1_AOS" ], "category": "vendor_fix", "details": "- AirWave Management Platform \n - 8.2.14.1 and above\n\n - Aruba Analytics and Location Engine \n - 2.2.0.3 and above\n Release ETA - late July 2022\n\n - Aruba Fabric Composer (AFC) and Plexxi Composable Fabric Manager (CFM) \n - 6.2.1 and above\n\n - Aruba Central On-Premises \n -2.5.5.0 and above\n Release ETA - late July 2022\n\n - Aruba ClearPass Policy Manager\n - 6.10.5 and above\n - 6.9.11 and above\n - 6.8.9 with Hotfix for Q1 2022 Security issues applied\n\n - ArubaOS-CX Switches\n - 10.10.0002 and above\n - 10.09.1031 and above\n - 10.08.1070 and above\n - 10.07.0080 and above\n - 10.06.0210 and above\n\n - ArubaOS Wi-Fi Controllers and Gateways \n - ArubaOS SD-WAN Gateways\n - Please note that this only affected controllers and\n gateways based on the x86 architecture\n This includes the following models\n - Aruba 9000 Series Controllers\n - Aruba 9200 Series Controllers\n - Aruba Virtual Mobility Controllers\n - Aruba Virtual and Hardware-based Mobility Conductors\n -The fixed code versions are as follows\n - ArubaOS 8.6.x: 8.6.0.19 and above\n Release ETA - early September 2022\n - ArubaOS 8.7.x: 8.7.1.10 and above\n Release ETA - late July 2022\n - ArubaOS 8.10.x: 8.10.0.3 and above\n Release ETA - late August 2022\n - ArubaOS 10.3.x: 10.3.1.1 and above\n Release ETA - early August 2022\n - SDWAN 2.X: 8.7.0.0-2.3.0.8 and above\n Release ETA - late July 2022\n\n - Aruba EdgeConnect Enterprise\n - ECOS 9.1.1.4 and above\n - ECOS 9.0.7.0 and above\n - ECOS 8.3.7.0 and above\n - Impact of this vulnerability on ECOS is very low. \n Fixes will be applied only to the ECOS versions\n that are listed above due to the minimal risk involved.\n\n - Aruba EdgeConnect Enterprise Orchestrator (on-premises)\n - Orchestrator does not use expat library. However:\n - Customers using CentOS are suggested to run ‘yum\n update expat’ from the administrative command line to\n address this vulnerability; to verify if the patch has been\n applied, run “rpm -q --changelog expat” and look for\n the specific CVEs. If the output shows “Resolves”, the\n patches for the CVE(s) have already been applied.\n - OR -\n - Upgrading (from 9.0.6 or later) to any newer Orchestrator\n version automatically updates expat and resolves this\n vulnerability.\n - New virtual machine images already have the fix for this\n vulnerability.\n - Customers using Fedora must upgrade to CentOS for support\n of security updates. Please contact Customer Support for\n the procedure.\n\n - Aruba Virtual Intranet Access (VIA) \n - Affects macOS/OSX versions only. Others are unaffected\n - 4.4.0 and above\n\n\nAruba does not evaluate or patch product versions that have \nreached their End of Support (EoS) milestone. For more \ninformation about Aruba's End of Support policy visit: \nhttps://www.arubanetworks.com/support-services/end-of-life/" }, { "product_ids": [ "<=8.2.14.0_airwave", "<=2.2.0.2_ALE", "<=6.2.0_AFC", "<=2.5.4.x_COP", "<=6.10.4_CPPM", "<=10.06.0200_AOSCX", "<=10.07.0070_AOSCX", "<=10.08.1060_AOSCX", "<=10.09.1030_AOSCX", "<=8.6.0.18_AOS", "<=8.7.1.9_AOS", "<=8.10.0.2_AOS", ">=10.3.0.0|<=10.3.1.0_AOS", "<=4.3.0_via" ], "category": "workaround", "details": "To minimize the likelihood of an attacker exploiting these \nvulnerabilities, Aruba recommends that the CLI and web-based \nmanagement interfaces be restricted to a dedicated layer 2 \nsegment/VLAN and/or controlled by firewall policies at layer 3 \nand above. \n " } ], "cve": "CVE-2022-25235" }, { "title": "Multiple Vulnerabilities in Expat XML processing library", "notes": [ { "category": "details", "text": "Vulnerabilities have been identified in a commonly used \n component in multiple Aruba products. These vulnerabilities \n allow attackers to use specially crafted XML input to \n potentially cause denial of service conditions or remote code \n execution. \n\n Details can be found at: \n https://nvd.nist.gov/vuln/detail/CVE-2022-25235\n https://nvd.nist.gov/vuln/detail/CVE-2022-25236\n https://nvd.nist.gov/vuln/detail/CVE-2022-25313\n https://nvd.nist.gov/vuln/detail/CVE-2022-25314\n https://nvd.nist.gov/vuln/detail/CVE-2022-25315\n\n Internal references: ATLCP-191, ATLAX-60, ATLWL-293, \n ATLWL-183, ATLWL-292, ATLWL-192, \n ATLSP-1 \n\n CVSS Vectors and Scores provided by NVD as follows:\t \n CVE-2022-25235 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - 9.8 critical \n CVE-2022-25236 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - 9.8 critical \n CVE-2022-25313 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H - 6.5 medium \n CVE-2022-25314 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - 7.5 high \n CVE-2022-25315 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - 9.8 critical \n\n Aruba Threat Labs analyzed and tested these vulnerabilities \n in the products using the affected component. What has been \n found is that exploitation of this vulnerability is not \n straightforward and dependent upon many factors that an \n attacker may not be able to control. \n\n Aruba has chosen to keep the NVD provided severity scores as a \n reference. The impact on products using the affected component \n is very low based on ongoing testing. ", "title": "Details" }, { "category": "other", "title": "Internal Reference", "text": "ATLCP-191, ATLAX-60, ATLWL-293, \n ATLWL-183, ATLWL-292, ATLWL-192, \n ATLSP-1 " } ], "product_status": { "fixed": [ "8.2.14.1_airwave", "2.2.0.3_ALE", "6.2.1_AFC", "6.10.5_cppm", "6.9.11", "6.8.9_Hotfix_1_for_Security_issues_CPPM", "10.10.002_AOSCX", "10.09.1031_AOSCX", "10.08.1070_AOSCX", "10.07.0080_AOSCX", "10.06.0210_AOSCX", "8.6.0.19_AOS", "8.7.1.10_AOS", "8.10.0.3_AOS", "10.3.1.1_AOS" ], "known_affected": [ "<=8.2.14.0_airwave", "<=2.2.0.2_ALE", "<=6.2.0_AFC", "<=2.5.4.x_COP", "<=6.10.4_CPPM", "<=10.06.0200_AOSCX", "<=10.07.0070_AOSCX", "<=10.08.1060_AOSCX", "<=10.09.1030_AOSCX", "<=8.6.0.18_AOS", "<=8.7.1.9_AOS", "<=8.10.0.2_AOS", ">=10.3.0.0|<=10.3.1.0_AOS", "<=4.3.0_via" ] }, "scores": [ { "cvss_v3": { "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "version": "3.1", "baseScore": 9.8, "baseSeverity": "CRITICAL", "temporalScore": 9.8, "temporalSeverity": "CRITICAL", "environmentalScore": 9.8, "environmentalSeverity": "CRITICAL" }, "products": [ "<=8.2.14.0_airwave", "<=2.2.0.2_ALE", "<=6.2.0_AFC", "<=2.5.4.x_COP", "<=6.10.4_CPPM", "<=10.06.0200_AOSCX", "<=10.07.0070_AOSCX", "<=10.08.1060_AOSCX", "<=10.09.1030_AOSCX", "<=8.6.0.18_AOS", "<=8.7.1.9_AOS", "<=8.10.0.2_AOS", ">=10.3.0.0|<=10.3.1.0_AOS", "<=4.3.0_via" ] } ], "remediations": [ { "product_ids": [ "8.2.14.1_airwave", "2.2.0.3_ALE", "6.2.1_AFC", "6.10.5_cppm", "6.9.11", "6.8.9_Hotfix_1_for_Security_issues_CPPM", "10.10.002_AOSCX", "10.09.1031_AOSCX", "10.08.1070_AOSCX", "10.07.0080_AOSCX", "10.06.0210_AOSCX", "8.6.0.19_AOS", "8.7.1.10_AOS", "8.10.0.3_AOS", "10.3.1.1_AOS" ], "category": "vendor_fix", "details": "- AirWave Management Platform \n - 8.2.14.1 and above\n\n - Aruba Analytics and Location Engine \n - 2.2.0.3 and above\n Release ETA - late July 2022\n\n - Aruba Fabric Composer (AFC) and Plexxi Composable Fabric Manager (CFM) \n - 6.2.1 and above\n\n - Aruba Central On-Premises \n -2.5.5.0 and above\n Release ETA - late July 2022\n\n - Aruba ClearPass Policy Manager\n - 6.10.5 and above\n - 6.9.11 and above\n - 6.8.9 with Hotfix for Q1 2022 Security issues applied\n\n - ArubaOS-CX Switches\n - 10.10.0002 and above\n - 10.09.1031 and above\n - 10.08.1070 and above\n - 10.07.0080 and above\n - 10.06.0210 and above\n\n - ArubaOS Wi-Fi Controllers and Gateways \n - ArubaOS SD-WAN Gateways\n - Please note that this only affected controllers and\n gateways based on the x86 architecture\n This includes the following models\n - Aruba 9000 Series Controllers\n - Aruba 9200 Series Controllers\n - Aruba Virtual Mobility Controllers\n - Aruba Virtual and Hardware-based Mobility Conductors\n -The fixed code versions are as follows\n - ArubaOS 8.6.x: 8.6.0.19 and above\n Release ETA - early September 2022\n - ArubaOS 8.7.x: 8.7.1.10 and above\n Release ETA - late July 2022\n - ArubaOS 8.10.x: 8.10.0.3 and above\n Release ETA - late August 2022\n - ArubaOS 10.3.x: 10.3.1.1 and above\n Release ETA - early August 2022\n - SDWAN 2.X: 8.7.0.0-2.3.0.8 and above\n Release ETA - late July 2022\n\n - Aruba EdgeConnect Enterprise\n - ECOS 9.1.1.4 and above\n - ECOS 9.0.7.0 and above\n - ECOS 8.3.7.0 and above\n - Impact of this vulnerability on ECOS is very low. \n Fixes will be applied only to the ECOS versions\n that are listed above due to the minimal risk involved.\n\n - Aruba EdgeConnect Enterprise Orchestrator (on-premises)\n - Orchestrator does not use expat library. However:\n - Customers using CentOS are suggested to run ‘yum\n update expat’ from the administrative command line to\n address this vulnerability; to verify if the patch has been\n applied, run “rpm -q --changelog expat” and look for\n the specific CVEs. If the output shows “Resolves”, the\n patches for the CVE(s) have already been applied.\n - OR -\n - Upgrading (from 9.0.6 or later) to any newer Orchestrator\n version automatically updates expat and resolves this\n vulnerability.\n - New virtual machine images already have the fix for this\n vulnerability.\n - Customers using Fedora must upgrade to CentOS for support\n of security updates. Please contact Customer Support for\n the procedure.\n\n - Aruba Virtual Intranet Access (VIA) \n - Affects macOS/OSX versions only. Others are unaffected\n - 4.4.0 and above\n\n\nAruba does not evaluate or patch product versions that have \nreached their End of Support (EoS) milestone. For more \ninformation about Aruba's End of Support policy visit: \nhttps://www.arubanetworks.com/support-services/end-of-life/" }, { "product_ids": [ "<=8.2.14.0_airwave", "<=2.2.0.2_ALE", "<=6.2.0_AFC", "<=2.5.4.x_COP", "<=6.10.4_CPPM", "<=10.06.0200_AOSCX", "<=10.07.0070_AOSCX", "<=10.08.1060_AOSCX", "<=10.09.1030_AOSCX", "<=8.6.0.18_AOS", "<=8.7.1.9_AOS", "<=8.10.0.2_AOS", ">=10.3.0.0|<=10.3.1.0_AOS", "<=4.3.0_via" ], "category": "workaround", "details": "To minimize the likelihood of an attacker exploiting these \nvulnerabilities, Aruba recommends that the CLI and web-based \nmanagement interfaces be restricted to a dedicated layer 2 \nsegment/VLAN and/or controlled by firewall policies at layer 3 \nand above. \n " } ], "cve": "CVE-2022-25236" }, { "title": "Multiple Vulnerabilities in Expat XML processing library", "notes": [ { "category": "details", "text": "Vulnerabilities have been identified in a commonly used \n component in multiple Aruba products. These vulnerabilities \n allow attackers to use specially crafted XML input to \n potentially cause denial of service conditions or remote code \n execution. \n\n Details can be found at: \n https://nvd.nist.gov/vuln/detail/CVE-2022-25235\n https://nvd.nist.gov/vuln/detail/CVE-2022-25236\n https://nvd.nist.gov/vuln/detail/CVE-2022-25313\n https://nvd.nist.gov/vuln/detail/CVE-2022-25314\n https://nvd.nist.gov/vuln/detail/CVE-2022-25315\n\n Internal references: ATLCP-191, ATLAX-60, ATLWL-293, \n ATLWL-183, ATLWL-292, ATLWL-192, \n ATLSP-1 \n\n CVSS Vectors and Scores provided by NVD as follows:\t \n CVE-2022-25235 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - 9.8 critical \n CVE-2022-25236 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - 9.8 critical \n CVE-2022-25313 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H - 6.5 medium \n CVE-2022-25314 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - 7.5 high \n CVE-2022-25315 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - 9.8 critical \n\n Aruba Threat Labs analyzed and tested these vulnerabilities \n in the products using the affected component. What has been \n found is that exploitation of this vulnerability is not \n straightforward and dependent upon many factors that an \n attacker may not be able to control. \n\n Aruba has chosen to keep the NVD provided severity scores as a \n reference. The impact on products using the affected component \n is very low based on ongoing testing. ", "title": "Details" }, { "category": "other", "title": "Internal Reference", "text": "ATLCP-191, ATLAX-60, ATLWL-293, \n ATLWL-183, ATLWL-292, ATLWL-192, \n ATLSP-1 " } ], "product_status": { "fixed": [ "8.2.14.1_airwave", "2.2.0.3_ALE", "6.2.1_AFC", "6.10.5_cppm", "6.9.11", "6.8.9_Hotfix_1_for_Security_issues_CPPM", "10.10.002_AOSCX", "10.09.1031_AOSCX", "10.08.1070_AOSCX", "10.07.0080_AOSCX", "10.06.0210_AOSCX", "8.6.0.19_AOS", "8.7.1.10_AOS", "8.10.0.3_AOS", "10.3.1.1_AOS" ], "known_affected": [ "<=8.2.14.0_airwave", "<=2.2.0.2_ALE", "<=6.2.0_AFC", "<=2.5.4.x_COP", "<=6.10.4_CPPM", "<=10.06.0200_AOSCX", "<=10.07.0070_AOSCX", "<=10.08.1060_AOSCX", "<=10.09.1030_AOSCX", "<=8.6.0.18_AOS", "<=8.7.1.9_AOS", "<=8.10.0.2_AOS", ">=10.3.0.0|<=10.3.1.0_AOS", "<=4.3.0_via" ] }, "scores": [ { "cvss_v3": { "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "version": "3.1", "baseScore": 6.5, "baseSeverity": "MEDIUM", "temporalScore": 6.5, "temporalSeverity": "MEDIUM", "environmentalScore": 6.5, "environmentalSeverity": "MEDIUM" }, "products": [ "<=8.2.14.0_airwave", "<=2.2.0.2_ALE", "<=6.2.0_AFC", "<=2.5.4.x_COP", "<=6.10.4_CPPM", "<=10.06.0200_AOSCX", "<=10.07.0070_AOSCX", "<=10.08.1060_AOSCX", "<=10.09.1030_AOSCX", "<=8.6.0.18_AOS", "<=8.7.1.9_AOS", "<=8.10.0.2_AOS", ">=10.3.0.0|<=10.3.1.0_AOS", "<=4.3.0_via" ] } ], "remediations": [ { "product_ids": [ "8.2.14.1_airwave", "2.2.0.3_ALE", "6.2.1_AFC", "6.10.5_cppm", "6.9.11", "6.8.9_Hotfix_1_for_Security_issues_CPPM", "10.10.002_AOSCX", "10.09.1031_AOSCX", "10.08.1070_AOSCX", "10.07.0080_AOSCX", "10.06.0210_AOSCX", "8.6.0.19_AOS", "8.7.1.10_AOS", "8.10.0.3_AOS", "10.3.1.1_AOS" ], "category": "vendor_fix", "details": "- AirWave Management Platform \n - 8.2.14.1 and above\n\n - Aruba Analytics and Location Engine \n - 2.2.0.3 and above\n Release ETA - late July 2022\n\n - Aruba Fabric Composer (AFC) and Plexxi Composable Fabric Manager (CFM) \n - 6.2.1 and above\n\n - Aruba Central On-Premises \n -2.5.5.0 and above\n Release ETA - late July 2022\n\n - Aruba ClearPass Policy Manager\n - 6.10.5 and above\n - 6.9.11 and above\n - 6.8.9 with Hotfix for Q1 2022 Security issues applied\n\n - ArubaOS-CX Switches\n - 10.10.0002 and above\n - 10.09.1031 and above\n - 10.08.1070 and above\n - 10.07.0080 and above\n - 10.06.0210 and above\n\n - ArubaOS Wi-Fi Controllers and Gateways \n - ArubaOS SD-WAN Gateways\n - Please note that this only affected controllers and\n gateways based on the x86 architecture\n This includes the following models\n - Aruba 9000 Series Controllers\n - Aruba 9200 Series Controllers\n - Aruba Virtual Mobility Controllers\n - Aruba Virtual and Hardware-based Mobility Conductors\n -The fixed code versions are as follows\n - ArubaOS 8.6.x: 8.6.0.19 and above\n Release ETA - early September 2022\n - ArubaOS 8.7.x: 8.7.1.10 and above\n Release ETA - late July 2022\n - ArubaOS 8.10.x: 8.10.0.3 and above\n Release ETA - late August 2022\n - ArubaOS 10.3.x: 10.3.1.1 and above\n Release ETA - early August 2022\n - SDWAN 2.X: 8.7.0.0-2.3.0.8 and above\n Release ETA - late July 2022\n\n - Aruba EdgeConnect Enterprise\n - ECOS 9.1.1.4 and above\n - ECOS 9.0.7.0 and above\n - ECOS 8.3.7.0 and above\n - Impact of this vulnerability on ECOS is very low. \n Fixes will be applied only to the ECOS versions\n that are listed above due to the minimal risk involved.\n\n - Aruba EdgeConnect Enterprise Orchestrator (on-premises)\n - Orchestrator does not use expat library. However:\n - Customers using CentOS are suggested to run ‘yum\n update expat’ from the administrative command line to\n address this vulnerability; to verify if the patch has been\n applied, run “rpm -q --changelog expat” and look for\n the specific CVEs. If the output shows “Resolves”, the\n patches for the CVE(s) have already been applied.\n - OR -\n - Upgrading (from 9.0.6 or later) to any newer Orchestrator\n version automatically updates expat and resolves this\n vulnerability.\n - New virtual machine images already have the fix for this\n vulnerability.\n - Customers using Fedora must upgrade to CentOS for support\n of security updates. Please contact Customer Support for\n the procedure.\n\n - Aruba Virtual Intranet Access (VIA) \n - Affects macOS/OSX versions only. Others are unaffected\n - 4.4.0 and above\n\n\nAruba does not evaluate or patch product versions that have \nreached their End of Support (EoS) milestone. For more \ninformation about Aruba's End of Support policy visit: \nhttps://www.arubanetworks.com/support-services/end-of-life/" }, { "product_ids": [ "<=8.2.14.0_airwave", "<=2.2.0.2_ALE", "<=6.2.0_AFC", "<=2.5.4.x_COP", "<=6.10.4_CPPM", "<=10.06.0200_AOSCX", "<=10.07.0070_AOSCX", "<=10.08.1060_AOSCX", "<=10.09.1030_AOSCX", "<=8.6.0.18_AOS", "<=8.7.1.9_AOS", "<=8.10.0.2_AOS", ">=10.3.0.0|<=10.3.1.0_AOS", "<=4.3.0_via" ], "category": "workaround", "details": "To minimize the likelihood of an attacker exploiting these \nvulnerabilities, Aruba recommends that the CLI and web-based \nmanagement interfaces be restricted to a dedicated layer 2 \nsegment/VLAN and/or controlled by firewall policies at layer 3 \nand above. \n " } ], "cve": "CVE-2022-25313" }, { "title": "Multiple Vulnerabilities in Expat XML processing library", "notes": [ { "category": "details", "text": "Vulnerabilities have been identified in a commonly used \n component in multiple Aruba products. These vulnerabilities \n allow attackers to use specially crafted XML input to \n potentially cause denial of service conditions or remote code \n execution. \n\n Details can be found at: \n https://nvd.nist.gov/vuln/detail/CVE-2022-25235\n https://nvd.nist.gov/vuln/detail/CVE-2022-25236\n https://nvd.nist.gov/vuln/detail/CVE-2022-25313\n https://nvd.nist.gov/vuln/detail/CVE-2022-25314\n https://nvd.nist.gov/vuln/detail/CVE-2022-25315\n\n Internal references: ATLCP-191, ATLAX-60, ATLWL-293, \n ATLWL-183, ATLWL-292, ATLWL-192, \n ATLSP-1 \n\n CVSS Vectors and Scores provided by NVD as follows:\t \n CVE-2022-25235 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - 9.8 critical \n CVE-2022-25236 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - 9.8 critical \n CVE-2022-25313 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H - 6.5 medium \n CVE-2022-25314 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - 7.5 high \n CVE-2022-25315 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - 9.8 critical \n\n Aruba Threat Labs analyzed and tested these vulnerabilities \n in the products using the affected component. What has been \n found is that exploitation of this vulnerability is not \n straightforward and dependent upon many factors that an \n attacker may not be able to control. \n\n Aruba has chosen to keep the NVD provided severity scores as a \n reference. The impact on products using the affected component \n is very low based on ongoing testing. ", "title": "Details" }, { "category": "other", "title": "Internal Reference", "text": "ATLCP-191, ATLAX-60, ATLWL-293, \n ATLWL-183, ATLWL-292, ATLWL-192, \n ATLSP-1 " } ], "product_status": { "fixed": [ "8.2.14.1_airwave", "2.2.0.3_ALE", "6.2.1_AFC", "6.10.5_cppm", "6.9.11", "6.8.9_Hotfix_1_for_Security_issues_CPPM", "10.10.002_AOSCX", "10.09.1031_AOSCX", "10.08.1070_AOSCX", "10.07.0080_AOSCX", "10.06.0210_AOSCX", "8.6.0.19_AOS", "8.7.1.10_AOS", "8.10.0.3_AOS", "10.3.1.1_AOS" ], "known_affected": [ "<=8.2.14.0_airwave", "<=2.2.0.2_ALE", "<=6.2.0_AFC", "<=2.5.4.x_COP", "<=6.10.4_CPPM", "<=10.06.0200_AOSCX", "<=10.07.0070_AOSCX", "<=10.08.1060_AOSCX", "<=10.09.1030_AOSCX", "<=8.6.0.18_AOS", "<=8.7.1.9_AOS", "<=8.10.0.2_AOS", ">=10.3.0.0|<=10.3.1.0_AOS", "<=4.3.0_via" ] }, "scores": [ { "cvss_v3": { "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "version": "3.1", "baseScore": 7.5, "baseSeverity": "HIGH", "temporalScore": 7.5, "temporalSeverity": "HIGH", "environmentalScore": 7.5, "environmentalSeverity": "HIGH" }, "products": [ "<=8.2.14.0_airwave", "<=2.2.0.2_ALE", "<=6.2.0_AFC", "<=2.5.4.x_COP", "<=6.10.4_CPPM", "<=10.06.0200_AOSCX", "<=10.07.0070_AOSCX", "<=10.08.1060_AOSCX", "<=10.09.1030_AOSCX", "<=8.6.0.18_AOS", "<=8.7.1.9_AOS", "<=8.10.0.2_AOS", ">=10.3.0.0|<=10.3.1.0_AOS", "<=4.3.0_via" ] } ], "remediations": [ { "product_ids": [ "8.2.14.1_airwave", "2.2.0.3_ALE", "6.2.1_AFC", "6.10.5_cppm", "6.9.11", "6.8.9_Hotfix_1_for_Security_issues_CPPM", "10.10.002_AOSCX", "10.09.1031_AOSCX", "10.08.1070_AOSCX", "10.07.0080_AOSCX", "10.06.0210_AOSCX", "8.6.0.19_AOS", "8.7.1.10_AOS", "8.10.0.3_AOS", "10.3.1.1_AOS" ], "category": "vendor_fix", "details": "- AirWave Management Platform \n - 8.2.14.1 and above\n\n - Aruba Analytics and Location Engine \n - 2.2.0.3 and above\n Release ETA - late July 2022\n\n - Aruba Fabric Composer (AFC) and Plexxi Composable Fabric Manager (CFM) \n - 6.2.1 and above\n\n - Aruba Central On-Premises \n -2.5.5.0 and above\n Release ETA - late July 2022\n\n - Aruba ClearPass Policy Manager\n - 6.10.5 and above\n - 6.9.11 and above\n - 6.8.9 with Hotfix for Q1 2022 Security issues applied\n\n - ArubaOS-CX Switches\n - 10.10.0002 and above\n - 10.09.1031 and above\n - 10.08.1070 and above\n - 10.07.0080 and above\n - 10.06.0210 and above\n\n - ArubaOS Wi-Fi Controllers and Gateways \n - ArubaOS SD-WAN Gateways\n - Please note that this only affected controllers and\n gateways based on the x86 architecture\n This includes the following models\n - Aruba 9000 Series Controllers\n - Aruba 9200 Series Controllers\n - Aruba Virtual Mobility Controllers\n - Aruba Virtual and Hardware-based Mobility Conductors\n -The fixed code versions are as follows\n - ArubaOS 8.6.x: 8.6.0.19 and above\n Release ETA - early September 2022\n - ArubaOS 8.7.x: 8.7.1.10 and above\n Release ETA - late July 2022\n - ArubaOS 8.10.x: 8.10.0.3 and above\n Release ETA - late August 2022\n - ArubaOS 10.3.x: 10.3.1.1 and above\n Release ETA - early August 2022\n - SDWAN 2.X: 8.7.0.0-2.3.0.8 and above\n Release ETA - late July 2022\n\n - Aruba EdgeConnect Enterprise\n - ECOS 9.1.1.4 and above\n - ECOS 9.0.7.0 and above\n - ECOS 8.3.7.0 and above\n - Impact of this vulnerability on ECOS is very low. \n Fixes will be applied only to the ECOS versions\n that are listed above due to the minimal risk involved.\n\n - Aruba EdgeConnect Enterprise Orchestrator (on-premises)\n - Orchestrator does not use expat library. However:\n - Customers using CentOS are suggested to run ‘yum\n update expat’ from the administrative command line to\n address this vulnerability; to verify if the patch has been\n applied, run “rpm -q --changelog expat” and look for\n the specific CVEs. If the output shows “Resolves”, the\n patches for the CVE(s) have already been applied.\n - OR -\n - Upgrading (from 9.0.6 or later) to any newer Orchestrator\n version automatically updates expat and resolves this\n vulnerability.\n - New virtual machine images already have the fix for this\n vulnerability.\n - Customers using Fedora must upgrade to CentOS for support\n of security updates. Please contact Customer Support for\n the procedure.\n\n - Aruba Virtual Intranet Access (VIA) \n - Affects macOS/OSX versions only. Others are unaffected\n - 4.4.0 and above\n\n\nAruba does not evaluate or patch product versions that have \nreached their End of Support (EoS) milestone. For more \ninformation about Aruba's End of Support policy visit: \nhttps://www.arubanetworks.com/support-services/end-of-life/" }, { "product_ids": [ "<=8.2.14.0_airwave", "<=2.2.0.2_ALE", "<=6.2.0_AFC", "<=2.5.4.x_COP", "<=6.10.4_CPPM", "<=10.06.0200_AOSCX", "<=10.07.0070_AOSCX", "<=10.08.1060_AOSCX", "<=10.09.1030_AOSCX", "<=8.6.0.18_AOS", "<=8.7.1.9_AOS", "<=8.10.0.2_AOS", ">=10.3.0.0|<=10.3.1.0_AOS", "<=4.3.0_via" ], "category": "workaround", "details": "To minimize the likelihood of an attacker exploiting these \nvulnerabilities, Aruba recommends that the CLI and web-based \nmanagement interfaces be restricted to a dedicated layer 2 \nsegment/VLAN and/or controlled by firewall policies at layer 3 \nand above. \n " } ], "cve": "CVE-2022-25314" }, { "title": "Multiple Vulnerabilities in Expat XML processing library", "notes": [ { "category": "details", "text": "Vulnerabilities have been identified in a commonly used \n component in multiple Aruba products. These vulnerabilities \n allow attackers to use specially crafted XML input to \n potentially cause denial of service conditions or remote code \n execution. \n\n Details can be found at: \n https://nvd.nist.gov/vuln/detail/CVE-2022-25235\n https://nvd.nist.gov/vuln/detail/CVE-2022-25236\n https://nvd.nist.gov/vuln/detail/CVE-2022-25313\n https://nvd.nist.gov/vuln/detail/CVE-2022-25314\n https://nvd.nist.gov/vuln/detail/CVE-2022-25315\n\n Internal references: ATLCP-191, ATLAX-60, ATLWL-293, \n ATLWL-183, ATLWL-292, ATLWL-192, \n ATLSP-1 \n\n CVSS Vectors and Scores provided by NVD as follows:\t \n CVE-2022-25235 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - 9.8 critical \n CVE-2022-25236 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - 9.8 critical \n CVE-2022-25313 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H - 6.5 medium \n CVE-2022-25314 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - 7.5 high \n CVE-2022-25315 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - 9.8 critical \n\n Aruba Threat Labs analyzed and tested these vulnerabilities \n in the products using the affected component. What has been \n found is that exploitation of this vulnerability is not \n straightforward and dependent upon many factors that an \n attacker may not be able to control. \n\n Aruba has chosen to keep the NVD provided severity scores as a \n reference. The impact on products using the affected component \n is very low based on ongoing testing. ", "title": "Details" }, { "category": "other", "title": "Internal Reference", "text": "ATLCP-191, ATLAX-60, ATLWL-293, \n ATLWL-183, ATLWL-292, ATLWL-192, \n ATLSP-1 " } ], "product_status": { "fixed": [ "8.2.14.1_airwave", "2.2.0.3_ALE", "6.2.1_AFC", "6.10.5_cppm", "6.9.11", "6.8.9_Hotfix_1_for_Security_issues_CPPM", "10.10.002_AOSCX", "10.09.1031_AOSCX", "10.08.1070_AOSCX", "10.07.0080_AOSCX", "10.06.0210_AOSCX", "8.6.0.19_AOS", "8.7.1.10_AOS", "8.10.0.3_AOS", "10.3.1.1_AOS" ], "known_affected": [ "<=8.2.14.0_airwave", "<=2.2.0.2_ALE", "<=6.2.0_AFC", "<=2.5.4.x_COP", "<=6.10.4_CPPM", "<=10.06.0200_AOSCX", "<=10.07.0070_AOSCX", "<=10.08.1060_AOSCX", "<=10.09.1030_AOSCX", "<=8.6.0.18_AOS", "<=8.7.1.9_AOS", "<=8.10.0.2_AOS", ">=10.3.0.0|<=10.3.1.0_AOS", "<=4.3.0_via" ] }, "scores": [ { "cvss_v3": { "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "version": "3.1", "baseScore": 9.8, "baseSeverity": "CRITICAL", "temporalScore": 9.8, "temporalSeverity": "CRITICAL", "environmentalScore": 9.8, "environmentalSeverity": "CRITICAL" }, "products": [ "<=8.2.14.0_airwave", "<=2.2.0.2_ALE", "<=6.2.0_AFC", "<=2.5.4.x_COP", "<=6.10.4_CPPM", "<=10.06.0200_AOSCX", "<=10.07.0070_AOSCX", "<=10.08.1060_AOSCX", "<=10.09.1030_AOSCX", "<=8.6.0.18_AOS", "<=8.7.1.9_AOS", "<=8.10.0.2_AOS", ">=10.3.0.0|<=10.3.1.0_AOS", "<=4.3.0_via" ] } ], "remediations": [ { "product_ids": [ "8.2.14.1_airwave", "2.2.0.3_ALE", "6.2.1_AFC", "6.10.5_cppm", "6.9.11", "6.8.9_Hotfix_1_for_Security_issues_CPPM", "10.10.002_AOSCX", "10.09.1031_AOSCX", "10.08.1070_AOSCX", "10.07.0080_AOSCX", "10.06.0210_AOSCX", "8.6.0.19_AOS", "8.7.1.10_AOS", "8.10.0.3_AOS", "10.3.1.1_AOS" ], "category": "vendor_fix", "details": "- AirWave Management Platform \n - 8.2.14.1 and above\n\n - Aruba Analytics and Location Engine \n - 2.2.0.3 and above\n Release ETA - late July 2022\n\n - Aruba Fabric Composer (AFC) and Plexxi Composable Fabric Manager (CFM) \n - 6.2.1 and above\n\n - Aruba Central On-Premises \n -2.5.5.0 and above\n Release ETA - late July 2022\n\n - Aruba ClearPass Policy Manager\n - 6.10.5 and above\n - 6.9.11 and above\n - 6.8.9 with Hotfix for Q1 2022 Security issues applied\n\n - ArubaOS-CX Switches\n - 10.10.0002 and above\n - 10.09.1031 and above\n - 10.08.1070 and above\n - 10.07.0080 and above\n - 10.06.0210 and above\n\n - ArubaOS Wi-Fi Controllers and Gateways \n - ArubaOS SD-WAN Gateways\n - Please note that this only affected controllers and\n gateways based on the x86 architecture\n This includes the following models\n - Aruba 9000 Series Controllers\n - Aruba 9200 Series Controllers\n - Aruba Virtual Mobility Controllers\n - Aruba Virtual and Hardware-based Mobility Conductors\n -The fixed code versions are as follows\n - ArubaOS 8.6.x: 8.6.0.19 and above\n Release ETA - early September 2022\n - ArubaOS 8.7.x: 8.7.1.10 and above\n Release ETA - late July 2022\n - ArubaOS 8.10.x: 8.10.0.3 and above\n Release ETA - late August 2022\n - ArubaOS 10.3.x: 10.3.1.1 and above\n Release ETA - early August 2022\n - SDWAN 2.X: 8.7.0.0-2.3.0.8 and above\n Release ETA - late July 2022\n\n - Aruba EdgeConnect Enterprise\n - ECOS 9.1.1.4 and above\n - ECOS 9.0.7.0 and above\n - ECOS 8.3.7.0 and above\n - Impact of this vulnerability on ECOS is very low. \n Fixes will be applied only to the ECOS versions\n that are listed above due to the minimal risk involved.\n\n - Aruba EdgeConnect Enterprise Orchestrator (on-premises)\n - Orchestrator does not use expat library. However:\n - Customers using CentOS are suggested to run ‘yum\n update expat’ from the administrative command line to\n address this vulnerability; to verify if the patch has been\n applied, run “rpm -q --changelog expat” and look for\n the specific CVEs. If the output shows “Resolves”, the\n patches for the CVE(s) have already been applied.\n - OR -\n - Upgrading (from 9.0.6 or later) to any newer Orchestrator\n version automatically updates expat and resolves this\n vulnerability.\n - New virtual machine images already have the fix for this\n vulnerability.\n - Customers using Fedora must upgrade to CentOS for support\n of security updates. Please contact Customer Support for\n the procedure.\n\n - Aruba Virtual Intranet Access (VIA) \n - Affects macOS/OSX versions only. Others are unaffected\n - 4.4.0 and above\n\n\nAruba does not evaluate or patch product versions that have \nreached their End of Support (EoS) milestone. For more \ninformation about Aruba's End of Support policy visit: \nhttps://www.arubanetworks.com/support-services/end-of-life/" }, { "product_ids": [ "<=8.2.14.0_airwave", "<=2.2.0.2_ALE", "<=6.2.0_AFC", "<=2.5.4.x_COP", "<=6.10.4_CPPM", "<=10.06.0200_AOSCX", "<=10.07.0070_AOSCX", "<=10.08.1060_AOSCX", "<=10.09.1030_AOSCX", "<=8.6.0.18_AOS", "<=8.7.1.9_AOS", "<=8.10.0.2_AOS", ">=10.3.0.0|<=10.3.1.0_AOS", "<=4.3.0_via" ], "category": "workaround", "details": "To minimize the likelihood of an attacker exploiting these \nvulnerabilities, Aruba recommends that the CLI and web-based \nmanagement interfaces be restricted to a dedicated layer 2 \nsegment/VLAN and/or controlled by firewall policies at layer 3 \nand above. \n " } ], "cve": "CVE-2022-25315" } ], "product_tree": { "branches": [ { "category": "vendor", "name": "HPE Aruba Networking", "branches": [ { "category": "product_name", "name": "Aruba AirWave Management Platform", "branches": [ { "category": "product_version_range", "name": "vers:semver/>=8.0.0.0|<=8.2.14.0", "product": { "name": "Aruba AirWave Management Platform", "product_id": "<=8.2.14.0_airwave" } }, { "product": { "name": "Aruba AirWave Management Platform", "product_id": "8.2.14.1_airwave" }, "category": "product_version", "name": "8.2.14.1" } ] }, { "category": "product_name", "name": "Aruba Analytics and Location Engine", "branches": [ { "category": "product_version_range", "name": "vers:semver/>=2.0.0.0|<=2.2.0.2", "product": { "name": "Aruba Analytics and Location Engine", "product_id": "<=2.2.0.2_ALE" } }, { "category": "product_version", "name": "2.2.0.3", "product": { "product_id": "2.2.0.3_ALE", "name": "Aruba Analytics and Location Engine" } } ] }, { "category": "product_name", "name": "Aruba Central On-Premises (COP)", "branches": [ { "category": "product_version_range", "name": "vers:semver/>=2.0.0.0|<=2.5.4.x", "product": { "name": "Aruba Central On-Premises (COP)", "product_id": "<=2.5.4.x_COP" } }, { "product": { "name": "Aruba Central On-Premises (COP)", "product_id": "2.5.5.0_COP" }, "category": "product_version", "name": "2.5.5.0" } ] }, { "category": "product_name", "name": "Aruba ClearPass Policy Manager", "branches": [ { "category": "product_version", "name": "6.10.5_CPPM", "product": { "name": "Aruba ClearPass Policy Manager", "product_id": "6.10.5_cppm" } }, { "name": "6.8.9_Hotfix_1_for_Security_issues", "category": "product_version", "product": { "product_id": "6.8.9_Hotfix_1_for_Security_issues_CPPM", "name": "Aruba ClearPass Policy Manager" } }, { "product": { "name": "Aruba ClearPass Policy Manager", "product_id": "6.9.11" }, "category": "product_version", "name": "6.9.11" }, { "product": { "name": "Aruba ClearPass Policy Manager", "product_id": "<=6.10.4_CPPM" }, "category": "product_version_range", "name": "vers:semver/>=6.10.0|<=6.10.4" }, { "product": { "name": "Aruba ClearPass Policy Manager", "product_id": "<=6.9.10_CPPM" }, "category": "product_version_range", "name": "vers:semver/>=6.9.0|<=6.9.10" }, { "product": { "name": "Aruba ClearPass Policy Manager", "product_id": "<=6.8.9_CPPM" }, "category": "product_version_range", "name": "vers:semver/>=6.0.0|<=6.8.9" } ] }, { "category": "product_name", "name": "Aruba Fabric Composer (AFC) and Plexxi Composable Fabric Manager (CFM)", "branches": [ { "category": "product_version_range", "name": "vers:semver/>=6.0.0|<=6.2.0", "product": { "name": "Aruba Fabric Composer (AFC) and Plexxi Composable Fabric Manager (CFM)", "product_id": "<=6.2.0_AFC" } }, { "product": { "name": "Aruba Fabric Composer (AFC) and Plexxi Composable Fabric Manager (CFM)", "product_id": "6.2.1_AFC" }, "category": "product_version", "name": "6.2.1" } ] }, { "category": "product_name", "name": "AOS-CX", "branches": [ { "category": "product_version", "name": "10.10.0002", "product": { "name": "AOS-CX", "product_id": "10.10.002_AOSCX" } }, { "category": "product_version", "name": "10.06.0210", "product": { "product_id": "10.06.0210_AOSCX", "name": "AOS-CX" } }, { "category": "product_version_range", "name": "vers:semver/>=10.08.0000|<=10.08.1060", "product": { "product_id": "<=10.08.1060_AOSCX", "name": "AOS-CX" } }, { "category": "product_version_range", "name": "vers:semver/>=10.07.0000|<=10.07.0070", "product": { "product_id": "<=10.07.0070_AOSCX", "name": "AOS-CX" } }, { "category": "product_version_range", "name": "vers:semver/>=10.00.0000|<=10.06.0200", "product": { "product_id": "<=10.06.0200_AOSCX", "name": "AOS-CX" } }, { "category": "product_version", "name": "10.09.1031", "product": { "name": "AOS-CX", "product_id": "10.09.1031_AOSCX" } }, { "category": "product_version", "name": "10.08.1070", "product": { "name": "AOS-CX", "product_id": "10.08.1070_AOSCX" } }, { "category": "product_version", "name": "10.07.0080", "product": { "name": "AOS-CX", "product_id": "10.07.0080_AOSCX" } }, { "category": "product_version_range", "name": "vers:semver/>=10.09.0000|<=10.09.1030", "product": { "name": "AOS-CX", "product_id": "<=10.09.1030_AOSCX" } } ] }, { "category": "product_name", "name": "ArubaOS Wi-Fi Controllers and Campus/Remote Access Points and ArubaOS SD-WAN Gateways", "branches": [ { "product": { "name": "ArubaOS Wi-Fi Controllers and Campus/Remote Access Points and ArubaOS SD-WAN Gateways", "product_id": "10.3.1.1_AOS" }, "category": "product_version", "name": "10.3.1.1" }, { "product": { "name": "ArubaOS Wi-Fi Controllers and Campus/Remote Access Points and ArubaOS SD-WAN Gateways", "product_id": "8.10.0.3_AOS" }, "category": "product_version", "name": "8.10.0.3" }, { "product": { "name": "ArubaOS Wi-Fi Controllers and Campus/Remote Access Points and ArubaOS SD-WAN Gateways", "product_id": "8.7.1.10_AOS" }, "category": "product_version", "name": "8.7.1.10" }, { "product": { "name": "ArubaOS Wi-Fi Controllers and Campus/Remote Access Points and ArubaOS SD-WAN Gateways", "product_id": "8.6.0.19_AOS" }, "category": "product_version", "name": "8.6.0.19" }, { "product": { "name": "ArubaOS Wi-Fi Controllers and Campus/Remote Access Points and ArubaOS SD-WAN Gateways", "product_id": ">=10.3.0.0|<=10.3.1.0_AOS" }, "category": "product_version_range", "name": "vers:semver/>=10.3.0.0|<=10.3.1.0" }, { "product": { "name": "ArubaOS Wi-Fi Controllers and Campus/Remote Access Points and ArubaOS SD-WAN Gateways", "product_id": "<=8.10.0.2_AOS" }, "category": "product_version_range", "name": "vers:semver/>=8.10.0.0|<=8.10.0.2" }, { "product": { "name": "ArubaOS Wi-Fi Controllers and Campus/Remote Access Points and ArubaOS SD-WAN Gateways", "product_id": "<=8.7.1.9_AOS" }, "category": "product_version_range", "name": "vers:semver/>=8.7.0.0|<=8.7.1.9" }, { "category": "product_version_range", "name": "vers:semver/>=8.6.0.0|<=8.6.0.18", "product": { "product_id": "<=8.6.0.18_AOS", "name": "ArubaOS Wi-Fi Controllers and Campus/Remote Access Points and ArubaOS SD-WAN Gateways" } } ] }, { "category": "product_name", "name": "Aruba Virtual Intranet Access (VIA)", "branches": [ { "category": "product_version", "name": "4.4.0", "product": { "name": "VIA", "product_id": "4.4.0" } }, { "category": "product_version_range", "name": "vers:semver/>=4.0.0|<=4.3.0", "product": { "name": "VIA", "product_id": "<=4.3.0_via" } } ] } ] } ], "product_groups": [ { "group_id": "PRODUCT_AFFECTED_GROUP", "summary": "list of pids which are known affected", "product_ids": [ "<=8.2.14.0_airwave", "<=2.2.0.2_ALE", "<=6.2.0_AFC", "<=2.5.4.x_COP", "<=6.10.4_CPPM", "<=10.06.0200_AOSCX", "<=10.07.0070_AOSCX", "<=10.08.1060_AOSCX", "<=10.09.1030_AOSCX", "<=8.6.0.18_AOS", "<=8.7.1.9_AOS", "<=8.10.0.2_AOS", ">=10.3.0.0|<=10.3.1.0_AOS", "<=4.3.0_via" ] }, { "group_id": "PRODUCT_FIXED_GROUP", "summary": "list of pids which are fixed", "product_ids": [ "8.2.14.1_airwave", "2.2.0.3_ALE", "6.2.1_AFC", "6.10.5_cppm", "6.9.11", "6.8.9_Hotfix_1_for_Security_issues_CPPM", "10.10.002_AOSCX", "10.09.1031_AOSCX", "10.08.1070_AOSCX", "10.07.0080_AOSCX", "10.06.0210_AOSCX", "8.6.0.19_AOS", "8.7.1.10_AOS", "8.10.0.3_AOS", "10.3.1.1_AOS", "4.4.0" ] } ] } }