-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Advisory Number 11192014
## This advisory contains information about two different vulnerabilities


+----------------------------------------------------------------------
============================== Advisory #1 ============================
+----------------------------------------------------------------------

CVE NUMBER:  CVE-2014-8367


TITLE
 
Unauthenticated SQL Injection Vulnerability in ClearPass Policy Manager


SUMMARY

A component of ClearPass Policy Manager is vulnerable to a read-only SQL 
injection attack by an unauthenticated user with access to the data network 
or the management network.


AFFECTED PRODUCTS
	- ClearPass Policy Manager 6.2.x
	- ClearPass Policy Manager 6.3.5 and earlier
	- ClearPass Policy Manager 6.4.1 and earlier


DETAILS

In order to protect customer networks, Aruba is providing no additional 
details in the initial advisory.  In accordance with our vulnerability
disclosure policy, Aruba will update this advisory in 60 days to provide
full details of the vulnerability.


DISCOVERY

This issue was discovered and reported by Luke Young of Hydrant Labs.  Aruba would
like to thank Mr. Young for his assistance.


IMPACT

An attacker may be able to read sensitive information from the ClearPass database.
This data could include component information, passwords, identity
information, and information about connected systems.

Aruba Networks participates in the Common Vulnerability Scoring System (CVSS). 
This rating system is a vendor agnostic, industry open standard designed to 
convey vulnerability severity and help determine urgency and priority of 
response. The CVSS score for this release is:

CVSS V2 Base Score: 5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:N/A:N)

 
MITIGATION

No mitigation is possible without upgrading the software.

 
SOLUTION
 
Aruba recommends upgrading to a fixed version as soon as possible.  This
vulnerability has been fixed in:
 - ClearPass Policy Manager 6.3.6
 - ClearPass Policy Manager 6.4.2
 - A point patch for ClearPass 6.2.6 has been published



+----------------------------------------------------------------------
============================== Advisory #2 ============================
+----------------------------------------------------------------------

CVE NUMBER:  CVE-2014-8368

TITLE
 
Authenticated Privilege Escalation in AirWave


SUMMARY
 
A user with authenticated access to the AirWave web interface may be able to execute
commands as 'root' on the underlying Linux operating system.


AFFECTED PRODUCTS
	- AirWave 7.7.13 and earlier
	- AirWave 8.0.4 and earlier

DETAILS

In order to protect customer networks, Aruba is providing no additional 
details in the initial advisory.  In accordance with our vulnerability
disclosure policy, Aruba will update this advisory in 60 days to provide
full details of the vulnerability.


DISCOVERY

This issue was discovered and reported by William Söderberg.  Aruba would
like to thank Mr. Söderberg for his assistance.


IMPACT

An attacker with the ability to run commands as 'root' can take full control
of the server hosting the AirWave application.

Many Aruba customers do not make use of multiple privilege levels in AirWave.
AirWave deployments where all authorized users already have 'root' access 
are not impacted by this vulnerability.

Aruba Networks participates in the Common Vulnerability Scoring System (CVSS). 
This rating system is a vendor agnostic, industry open standard designed to 
convey vulnerability severity and help determine urgency and priority of 
response. The CVSS score for this release is:

CVSS V2 Base Score: 4.6 (MEDIUM) (AV:N/AC:H/Au:S/C:P/I:P/A:P)

 
MITIGATION

As a temporary mitigation technique, users of Airwave who do not otherwise
have 'root' access to the underlying Linux operating system may be denied
access to the AirWave application.  Without access to the application, a
privilege escalation attack cannot succeed.

 
SOLUTION
 
Aruba recommends upgrading to a fixed version as soon as possible.  This
vulnerability has been fixed in:
 - AirWave 7.7.14
 - AirWave 8.0.5


+----------------------------------------------------------------------

OBTAINING FIXED FIRMWARE

Aruba customers can obtain the firmware on the support website:
	http://support.arubanetworks.com


AirWave updates may be directly downloaded by logging into a root shell
and issuing the command "start_amp_upgrade".

ClearPass updates may be directly downloaded by logging in as 'admin' and
navigating to Administration->Agents and Software Updates->Software Updates.

Aruba Support contacts are as follows:

	1-800-WiFiLAN (1-800-943-4526) (toll free from within North America)
	
	+1-408-754-1200 (toll call from anywhere in the world)

	The full contact list is at:
	http://www.arubanetworks.com/support-services/support-program/contact-support/

	e-mail: support(at)arubanetworks.com

Please do not contact "sirt(at)arubanetworks.com" for software upgrades.


STATUS OF THIS NOTICE: Initial

Although Aruba Networks cannot guarantee the accuracy of all statements
in this advisory, all of the facts have been checked to the best of our
ability. Aruba Networks does not anticipate issuing updated versions of
this advisory unless there is some material change in the facts. Should
there be a significant change in the facts, Aruba Networks may update
this advisory.

A stand-alone copy or paraphrase of the text of this security advisory
that omits the distribution URL in the following section is an uncontrolled
copy, and may lack important information or contain factual errors.


DISTRIBUTION OF THIS ANNOUNCEMENT

This advisory will be posted on Aruba's website at:
http://www.arubanetworks.com/support/alerts/aid-11192014.txt


Future updates of this advisory, if any, will be placed on Aruba's worldwide
website, but may or may not be actively announced on mailing lists or
newsgroups. Users concerned about this problem are encouraged to check the
above URL for any updates.


REVISION HISTORY
      Revision 1.0 / 11-19-2014 / Initial release


ARUBA SIRT SECURITY PROCEDURES

Complete information on reporting security vulnerabilities in Aruba Networks
products, obtaining assistance with security incidents is available at

http://www.arubanetworks.com/support-services/security-bulletins/
   
  
For reporting *NEW* Aruba Networks security issues, email can be sent to
sirt(at)arubanetworks.com. For sensitive information we encourage the use of 
PGP encryption. Our public keys can be found at 

http://www.arubanetworks.com/support-services/security-bulletins/


(c) Copyright 2014 by Aruba Networks, Inc.
This advisory may be redistributed freely after the release date given at
the top of the text, provided that redistributed copies are complete and
unmodified, including all date and version information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBCAAGBQJUZl+7AAoJEJj+CcpFhYbZ/mkH/0NszQh5hSCo33ElCOdvt03m
LoXsEXb6uWwIclM/2Kw9wtg49PNJAGkJYsd6z7q0XWn/sHwglQGoj6oLL1TrVMmB
FzTA/u1ViHWOxDZQVLez7aySVsL/mCyUk30GH/eD4J7AivLSdG9Z/sz9fuLXt7D2
hnq7rMLh12c6JPIBNds8qNAd1dT8xK/lOcIytra688qy2obgK+WuiPl5C3pURjLL
HlkIg4A2B/vK1w0pTqQMhmUhyB8knLzFKyvYeYK1PuE/9Gy2/Rwsk7fRSTAQhMed
I50chlExRb8u2J+BqMD/DndzLig+/3aheC0SjzKL+tv8mubnbJWJc8E382p2sYU=
=PNfD
-----END PGP SIGNATURE-----