-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Advisory Number 051414
CVE-2014-0050
CVE-2014-0094
CVE-2014-0112
CVE-2014-0113

TITLE
 
Apache Struts2 Vulnerability in Aruba Networks ClearPass Policy Manager 
 

SUMMARY
 
Denial of Service and code execution vulnerabilities in Apache Struts were revealed 
through CVE-2014-0050, CVE-2014-0094, CVE-2014-0112, and CVE-2014-0113. These could 
allow a malicious user to potentially cause a denial of service, or manipulate the 
ClassLoader thereby allowing remote code execution.

AFFECTED VERSIONS
 
- - - - - - -- ClearPass 5.X, 6.0.1, 6.0.2, 6.1.0, 6.2.0, 6.3.0
 
 
DETAILS
 
ClearPass Policy Manager leverages the Apache Struts framework to drive server-side 
components of the user interface. ClearPass Policy Manager's web-based UI pages carry 
the Struts interceptor framework, and file upload framework which could be susceptible 
to these attacks. An attacker with access to the ClearPass Policy Manager's UI could 
craft such an attack, thereby creating a possibility for remote code execution or 
launching a DoS attack.

 
DISCOVERY

These vulnerabilities were announced publicly through the above-referenced CVEs.


IMPACT

An attacker could launch a denial of service attack against ClearPass Policy Manager. An 
attacker could also manipulate the ClassLoader on Apache Struts used by ClearPass 
Policy Manager, thus providing the possibility to bypass navigation states and/or execute 
remote commands on the server.

Aruba Networks participates in the Common Vulnerability Scoring System (CVSS). This 
rating system is a vendor agnostic, industry open standard designed to convey 
vulnerability severity and help determine urgency and priority of response. The CVSS score
for this release is:

CVE-2014-0050: CVSS v2 Base Score: 5.0 (MEDIUM) (AV:N/AC:L/AU:N/C:N/I:N/A:P) 
CVE-2014-0094: CVSS v2 Base Score: 5.0 (MEDIUM) (AV:N/AC:L/AU:N/C:N/I:P/A:N)
CVE-2014-0112: CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/AU:N/C:P/I:P/A:P)
CVE-2014-0113: CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/AU:N/C:P/I:P/A:P)


MITIGATION
 
Aruba Networks recommends that all customers use access control methods such as 
network-level ACLs to restrict access to the ClearPass Policy Manager UI. If using 
ClearPass 6.1.0 and above, Aruba recommends that customers use Access Control options 
available within the ClearPass administration interface to permit access to ClearPass 
Policy Manager from secure network locations only.
 
 
SOLUTION
 
Aruba Networks recommends that all customers apply either ClearPass 6.1.4, 
ClearPass 6.2.6, or ClearPass 6.3.2 patches released May 2014 as soon as practical. 

Customers using ClearPass versions prior to 6.1 are urged to upgrade to ClearPass Policy 
Manager 6.1.4 as soon as practical.


+----------------------------------------------------

OBTAINING FIXED FIRMWARE

Aruba customers can obtain the firmware on the support website:
	http://support.arubanetworks.com


Aruba Support contacts are as follows:

	1-800-WiFiLAN (1-800-943-4526) (toll free from within North America)
	
	+1-408-754-1200 (toll call from anywhere in the world)

	The full contact list is at:
	http://www.arubanetworks.com/support-services/support-program/contact-support/

	e-mail: support(at)arubanetworks.com

Please do not contact "sirt(at)arubanetworks.com" for software upgrades.


STATUS OF THIS NOTICE: Final

Although Aruba Networks cannot guarantee the accuracy of all statements
in this advisory, all of the facts have been checked to the best of our
ability. Aruba Networks does not anticipate issuing updated versions of
this advisory unless there is some material change in the facts. Should
there be a significant change in the facts, Aruba Networks may update
this advisory.

A stand-alone copy or paraphrase of the text of this security advisory
that omits the distribution URL in the following section is an uncontrolled
copy, and may lack important information or contain factual errors.


DISTRIBUTION OF THIS ANNOUNCEMENT

This advisory will be posted on Aruba's website at:
http://www.arubanetworks.com/support/alerts/aid-051414.txt



Future updates of this advisory, if any, will be placed on Aruba's worldwide
website, but may or may not be actively announced on mailing lists or
newsgroups. Users concerned about this problem are encouraged to check the
above URL for any updates.


REVISION HISTORY

      Revision 1.0 / 05-14-2014 / Initial release


ARUBA SIRT SECURITY PROCEDURES

Complete information on reporting security vulnerabilities in Aruba Networks
products, obtaining assistance with security incidents is available at

http://www.arubanetworks.com/support-services/security-bulletins/
   
  
For reporting *NEW* Aruba Networks security issues, email can be sent to
sirt(at)arubanetworks.com. For sensitive information we encourage the use of 
PGP encryption. Our public keys can be found at 

http://www.arubanetworks.com/support-services/security-bulletins/


(c) Copyright 2014 by Aruba Networks, Inc.
This advisory may be redistributed freely after the release date given at
the top of the text, provided that redistributed copies are complete and
unmodified, including all date and version information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iEYEAREIAAYFAlNtJm4ACgkQp6KijA4qefXhkwCg8WLLgnY0MW9nKHygvH9IneR/
IAgAnA8EcBc7mQ8tnfIFR/cAKyJbWPMO
=Gkbc
-----END PGP SIGNATURE-----