-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Advisory Number 10142014
CVE-2014-3566


TITLE
 
SSL 3.0 "POODLE" Attack
 

SUMMARY
 
On October 14, 2014, the Google Security Team announced a practical attack
against the SSL 3.0 protocol that could allow an attacker to recover encrypted 
plaintext from an HTTPS session.  This advisory describes Aruba's exposure 
to the attack.


AFFECTED PRODUCTS
	- ArubaOS (all versions)
	- ClearPass Policy Manager (all versions)
	- AirWave (all versions)
	- Aruba Central
	- Aruba Instant (all versions)
	- Amigopod (all versions)


NOT AFFECTED
	- ArubaOS operating in FIPS mode
	- ClearPass Policy Manager operating in FIPS mode


DETAILS

Refer to https://www.openssl.org/~bodo/ssl-poodle.pdf for full details.

 
MITIGATION

 All Products
 ============
 All modern browsers support TLSv1 at a minimum, and most also support
 TLSv1.1 and TLSv1.2. We recommend disabling SSLv3 support in the
 browser.  As long as one side of the connection refuses to support
 SSLv3, the attack will be unsuccessful.

 ArubaOS
 =======
 ArubaOS when operating in FIPS mode does not support SSLv3.  For non-FIPS
 versions of ArubaOS, HTTPS protocols are configurable.  From the command
 line, the following command will enable only TLSv1:
    (config) #web-server ssl-protocol tlsv1
 Future versions of ArubaOS will remove SSLv3 entirely.

 Amigopod
 ========
 From the WebUI, under Administrator > Security Manager > Network Security, 
 change the allowed SSL Protocols by entering the following:
   all -SSLv2 -SSLv3


 
SOLUTION
 
Aruba Networks plans to publish patch releases for the affected products.  We 
recommend upgrading to these releases during your next regularly scheduled 
maintenance window.  Because this information is preliminary, the exact
method that will be used to mitigate the attack is not yet known.  This 
advisory will be updated once additional information becomes available.

 AirWave
 =======
 AirWave 7.7.14 and 8.0.5 have been patched to address the issue. These
 versions disable SSLv3 entirely.

 Aruba Central
 =============
 Patches were in place by November 7 to address the issue.

 Aruba Instant
 =============
 The following versions remove support for SSLv3:
   4.0.0.9
   4.1.1.1

 ArubaOS
 =======
 The following releases remove support for SSLv3:
   ArubaOS 5.0.4.17
   ArubaOS 6.3.1.14
   ArubaOS 6.4.2.3

 ClearPass
 =========
 The following releases removed support for SSLv3:
   ClearPass 6.3.6
   ClearPass 6.4.2   
   A point patch has been provided for ClearPass 6.2


+----------------------------------------------------

OBTAINING FIXED FIRMWARE

Aruba customers can obtain the firmware on the support website:
	http://support.arubanetworks.com


Aruba Support contacts are as follows:

	1-800-WiFiLAN (1-800-943-4526) (toll free from within North America)
	
	+1-408-754-1200 (toll call from anywhere in the world)

	The full contact list is at:
	http://www.arubanetworks.com/support-services/support-program/contact-support/

	e-mail: support(at)arubanetworks.com

Please do not contact "sirt(at)arubanetworks.com" for software upgrades.


STATUS OF THIS NOTICE: Initial

Although Aruba Networks cannot guarantee the accuracy of all statements
in this advisory, all of the facts have been checked to the best of our
ability. Aruba Networks does not anticipate issuing updated versions of
this advisory unless there is some material change in the facts. Should
there be a significant change in the facts, Aruba Networks may update
this advisory.

A stand-alone copy or paraphrase of the text of this security advisory
that omits the distribution URL in the following section is an uncontrolled
copy, and may lack important information or contain factual errors.


DISTRIBUTION OF THIS ANNOUNCEMENT

This advisory will be posted on Aruba's website at:
http://www.arubanetworks.com/support/alerts/aid-10142014.txt


Future updates of this advisory, if any, will be placed on Aruba's worldwide
website, but may or may not be actively announced on mailing lists or
newsgroups. Users concerned about this problem are encouraged to check the
above URL for any updates.


REVISION HISTORY
      Revision 1.0 / 10-14-2014 / Initial release
      Revision 1.1 / 10-30-2014 / Update to include additional details
      Revision 1.2 / 02-05-2015 / Update to include ArubaOS 5.x


ARUBA SIRT SECURITY PROCEDURES

Complete information on reporting security vulnerabilities in Aruba Networks
products, obtaining assistance with security incidents is available at

http://www.arubanetworks.com/support-services/security-bulletins/
   
  
For reporting *NEW* Aruba Networks security issues, email can be sent to
sirt(at)arubanetworks.com. For sensitive information we encourage the use of 
PGP encryption. Our public keys can be found at 

http://www.arubanetworks.com/support-services/security-bulletins/


(c) Copyright 2014 by Aruba Networks, Inc.
This advisory may be redistributed freely after the release date given at
the top of the text, provided that redistributed copies are complete and
unmodified, including all date and version information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBCAAGBQJU0844AAoJEJj+CcpFhYbZzKQH/i5a6BXK5sVB+ivabhBOYgJF
BIoP7EFrDJcQOeTVKvgbcUawMhIgtI8OVG7nydvtiIdkNSgTivt+e9gCGqjjLTnH
C1hykKuOSaVIRdJFCTxWPoYhMkguc4iFAoRRILIVtgpd/wdJIRcel/v1N2nKSu2Y
7TN6ZnE+hjoiTozAjZp7RCtaNJjtlstYIXXBMUOZPVfbZqSfxlKUC5O+iF/BZ4g+
wNMyyu0oiC9fHLfaM7NCL0OS9kq7XDi+Yp4nmF+SgRiHMpcY1UDwfs8IbSMaL0cQ
IiqJokJDXrZ+0/4y8oq87P5pTyr29rDdStALowCh6S6djqlKiatt6kziW1mcFZ8=
=vxlG
-----END PGP SIGNATURE-----