-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Aruba Product Security Advisory
===============================

Advisory ID: ARUBA-PSA-2015-003
CVE: CVE-2014-3571, CVE-2015-0206, CVE-2014-3569, CVE-2014-3572, CVE-2015-0204, CVE-2015-0205, CVE-2014-8275, CVE-2014-3570
Publication Date: 2015-Feb-05
Status: Confirmed
Revision: 1



Title
=====
OpenSSL Multiple Vulnerabilities (08 January 2015)
 

Overview
========

Multiple vulnerabilities exist in OpenSSL.  For more details, see the
original OpenSSL advisory at https://www.openssl.org/news/secadv_20150108.txt


Affected Aruba Products
=======================

 -- ArubaOS (all versions)


Unaffected Aruba Products
=========================

 -- ClearPass Policy Manager
 -- AirWave
 -- Aruba Instant
 -- VIA
 -- Meridian


Details
=======

Multiple Aruba products make use of OpenSSL to varying extents.  A low-severity
exposure exists within ArubaOS.  Other Aruba products are unaffected.

Within ArubaOS, two features make use of TLS client functionality: LDAP over TLS, 
and the Phone Home feature.  CVE-2014-3572 and CVE-2015-0204 affect OpenSSL when 
TLS client functionality is used.  Aruba considers the severity to be extremely
low, since ArubaOS does not establish TLS connections with arbitrary TLS servers
on the public Internet.  LDAPS only connects to a trusted LDAP server within an
organization's own IT environment.  The Phone Home feature only connects to an
Aruba-operated server.

Other vulnerabilities reported in the OpenSSL 08-January advisory do not affect
any Aruba products.


Resolution
==========

Aruba will patch OpenSSL in ArubaOS during the normal course of product maintenance.
Because of the low severity of this vulnerability, Aruba will not issue emergency
fixes. Aruba has assigned bug numbers 112492 and 112493 to track these issues.


Obtaining Fixed Software
========================

Aruba customers can obtain software updates on the support website:
	http://support.arubanetworks.com


Aruba Support contacts are as follows:

	+1-800-WiFiLAN (1-800-943-4526) (toll free from within North America)
	
	+1-408-754-1200 (toll call from anywhere in the world)

	The full contact list is at:
	http://www.arubanetworks.com/support-services/support-program/contact-support/

	e-mail: support(at)arubanetworks.com

Please do not contact "sirt(at)arubanetworks.com" for software upgrades.


Revision History
================

      Revision 1.0 / 2015-Feb-05 / Initial release


Aruba SIRT Security Procedures
==============================

Complete information on reporting security vulnerabilities in Aruba Networks
products, obtaining assistance with security incidents is available at:

http://www.arubanetworks.com/support-services/security-bulletins/
   
  
For reporting *NEW* Aruba Networks security issues, email can be sent to
sirt(at)arubanetworks.com. For sensitive information we encourage the use of 
PGP encryption. Our public keys can be found at:

http://www.arubanetworks.com/support-services/security-bulletins/


(c) Copyright 2015 by Aruba Networks, Inc.
This advisory may be redistributed freely after the release date given at
the top of the text, provided that redistributed copies are complete and
unmodified, including all date and version information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBCAAGBQJU080EAAoJEJj+CcpFhYbZIRoH/0SX/OuoWhIvx2btT7OUjujt
UskifClxnwSqKM1TQsG25K7uXLSE4Fyk5Qn3ihu16Atqex8cMwknmrlH/t/RAsqz
eQUA5yHvDfEa6fco7fya+CeSgc7tTgac77xghvQyLMVbE5pBL9I7zqaOAAFBa8Tr
XfdFVA8/jPV6fIB3viIBo7QMRAf8Ok7kmBhoz4/CI9clhk72T+79Xw2G4Z0xlljY
YUub+d0OQ6OtbRPoXmc6PhyO1clSmZZgRMPPuT786WTnYpEw5V8dn05xSFpY+KyS
GUS8RmLYQfO1E14Y2c3ViIDG6LybXX7pJMBA4Hc+S5JO6Nv2o+NLUzWOwOVo2FM=
=TQtC
-----END PGP SIGNATURE-----