-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ADVISORY NUMBER 080113
CVE-2013-2248
CVE-2013-2251


TITLE
 
Apache Struts2 Vulnerability in Aruba Networks ClearPass Policy Manager 
 

SUMMARY
 
Remote code execution and redirection vulnerabilities in Apache Struts were
revealed on 07/20/2013 through CVE-2013-2248 and CVE-2013-2251. These allow
a malicious user to execute Struts OGNL expressions using Struts' action/
redirect/redirectAction prefixes to evaluate OGNL expressions.

AFFECTED VERSIONS
 
- -- ClearPass 5.X, 6.0.1, 6.0.2, 6.1.0, 6.2.0
 
 
DETAILS
 
ClearPass Policy Manager leverages the Apache Struts framework to drive 
server-side components of the user interface. ClearPass Policy Manager's 
web-based UI pages carry the Struts "action" suffixes, which are vulnerable
to this attack. An attacker with access to the ClearPass Policy Manager's
UI could craft valid OGNL expressions and embed them into the URL, thus 
creating a possibility for a server-side code injection based on the disclosure.

 
DISCOVERY

These vulnerabilities were announced through CVE-2013-2248 and CVE-2013-2251.


IMPACT

The attacker can craft a valid OGNL expression into URLs used by ClearPass 
Policy Manager, thus providing the possibility of injecting server-side code 
and thereby allowing the remote attacker to bypass navigation states and/or 
execute remote commands on the server (ClearPass Policy Manager).

Aruba Networks participates in the Common Vulnerability Scoring System (CVSS).
This rating system is a vendor agnostic, industry open standard designed to 
convey vulnerability severity and help determine urgency and priority of 
response. Aruba also has its own Aruba Threats Lab team (ATL) that is focused 
exclusively on identification and mitigation of security issues.

CVSS v2 Base Score:9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
 

MITIGATION
 
Aruba Networks recommends that all customers use access control methods such 
as network-level ACLs to restrict access to the ClearPass Policy Manager UI. 
If using ClearPass 6.1.0 and above, Aruba recommends that customers use 
Access Control options available within the ClearPass administration interface 
to permit access to ClearPass Policy Manager from secure network locations only.
 
 
SOLUTION
 
Aruba Networks recommends that all customers apply either ClearPass 6.1.3 or
ClearPass 6.2.0.54567 patches released August 2013 as soon as practical. 

Customers using ClearPass versions prior to 6.1 are urged to upgrade to 
ClearPass Policy Manager 6.1.3 as soon as practical.


   
+----------------------------------------------------

OBTAINING FIXED FIRMWARE

Aruba customers can obtain the firmware on the support website: 
	http://www.arubanetworks.com/support. 
   
Aruba Support contacts are as follows:

	1-800-WiFiLAN (1-800-943-4526) (toll free from within North America)

	+1-408-754-1200 (toll call from anywhere in the world)

	e-mail: support(at)arubanetworks.com

Please, do not contact either "wsirt(at)arubanetworks.com" or 
"security(at)arubanetworks.com" for software upgrades.


EXPLOITATION AND PUBLIC ANNOUNCEMENTS

This vulnerability will be announced at 

Aruba W.S.I.R.T. Advisory:
http://www.arubanetworks.com/support/alerts/aid-080113.asc

SecurityFocus Bugtraq
http://www.securityfocus.com/archive/1


STATUS OF THIS NOTICE: Final

Although Aruba Networks cannot guarantee the accuracy of all statements
in this advisory, all of the facts have been checked to the best of our
ability. Aruba Networks does not anticipate issuing updated versions of
this advisory unless there is some material change in the facts. Should
there be a significant change in the facts, Aruba Networks may update
this advisory.

A stand-alone copy or paraphrase of the text of this security advisory
that omits the distribution URL in the following section is an uncontrolled
copy, and may lack important information or contain factual errors.


DISTRIBUTION OF THIS ANNOUNCEMENT

This advisory will be posted on Aruba's website at:
http://www.arubanetworks.com/support/alerts/aid-080113.asc


Future updates of this advisory, if any, will be placed on Aruba's worldwide
website, but may or may not be actively announced on mailing lists or
newsgroups. Users concerned about this problem are encouraged to check the
above URL for any updates.


REVISION HISTORY

      Revision 1.0 / 08-01-2013 / Initial release


ARUBA WSIRT SECURITY PROCEDURES

Complete information on reporting security vulnerabilities in Aruba Networks
products, obtaining assistance with security incidents is available at

http://www.arubanetworks.com/support-services/security-bulletins/
   
  
For reporting *NEW* Aruba Networks security issues, email can be sent to
wsirt(at)arubanetworks.com or security(at)arubanetworks.com. For sensitive
information we encourage the use of PGP encryption. Our public keys can be
found at 

http://www.arubanetworks.com/support-services/security-bulletins/


(c) Copyright 2013 by Aruba Networks, Inc.
This advisory may be redistributed freely after the release date given at
the top of the text, provided that redistributed copies are complete and
unmodified, including all date and version information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.20 (MingW32)

iEYEARECAAYFAlJM8CoACgkQp6KijA4qefWUFwCfdGvaRRE1xRuA17aRBcEPU6AZ
q64An1oCTB9+oS51imoOXR5XTrK3cKAp
=dz6G
-----END PGP SIGNATURE-----