-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Aruba Product Security Advisory
===============================

Advisory ID: ARUBA-PSA-2015-007
CVE: CVE-2015-0286, CVE-2015-0289, CVE-2015-0209, CVE-2015-0292
Publication Date: 2015-Mar-26
Status: Preliminary
Revision: 2
Public location: http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2015-007.txt


Title
=====
OpenSSL Multiple Vulnerabilities (19 March 2015)
 

Overview
========

Multiple vulnerabilities exist in OpenSSL.  For more details, see the
original OpenSSL advisory at https://www.openssl.org/news/secadv_20150319.txt.
This is a preliminary advisory - revisions will be posted as new information
becomes available.


Affected Aruba Products
=======================

 -- ArubaOS (all versions)
 -- ClearPass Policy Manager 6.4.x
 -- ClearPass Policy Manager 6.5.x
 -- AirWave 7.x prior to 7.7.14.3
 -- AirWave 8.x prior to 8.0.7.1


Unaffected Aruba Products
=========================

 -- Aruba Instant
 -- VIA
 -- Meridian
 -- Aruba Central


Details
=======

Multiple Aruba products make use of OpenSSL to varying extents.  The following
vulnerabilities affect all "Affected Aruba Products" listed above:

 - Segmentation fault in ASN1_TYPE_cmp (CVE-2015-0286)
	Severity: Moderate

 - PKCS7 NULL pointer dereferences (CVE-2015-0289)
	Severity: Aruba classifies the severity as "low" as this functionality
	could only be accessed by an authenticated administrator.

 - Use After Free following d2i_ECPrivatekey error (CVE-2015-0209)
	Severity: Aruba classifies the severity as "low" as this functionality
	could only be accessed by an authenticated administrator.

 - Base64 decode (CVE-2015-0292)
	Severity: Moderate

The vulnerabilities above all impact availability.  There is no impact
to confidentiality or integrity from these vulnerabilities.


The following vulnerabilities DO NOT affect any Aruba product:

 - OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291)
 - RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204)
 - Multiblock corrupted pointer (CVE-2015-0290)
 - Segmentation fault in DTLSv1_listen (CVE-2015-0207)
 - Segmentation fault for invalid PSS parameters (CVE-2015-0208)
 - ASN.1 structure reuse memory corruption (CVE-2015-0287)
 - DoS via reachable assert in SSLv2 servers (CVE-2015-0293)
 - Empty CKE with client auth and DHE (CVE-2015-1787)
 - Handshake with unseeded PRNG (CVE-2015-0285)
 - X509_to_X509_REQ NULL pointer deref (CVE-2015-0288)


Resolution
==========

Aruba will provide software updates to fix these issues.  At the time of this 
writing, some information is preliminary or unavailable.  This advisory will 
be updated as new information becomes available.

  - ArubaOS
    The following patches will be released to address this issue:
	6.3.1.16 (target date April 3)
	6.4.2.6 (target date April 9)
    This issue is being tracked by bug 115019.

    Note: ArubaOS 5.x, 6.1.x, and 6.2.x are no longer being actively developed, and 
    security patches are produced by default only for high-severity issues.
    Customers who require patches for older versions should contact Aruba Technical 
    Support to make that request.


  - ClearPass
	ClearPass 6.5.1 will address this issue (target date April 10)
	The patch schedule for ClearPass 6.4.x is still being determined.

  - AirWave
    Version 7.7.14.3 and 8.0.7.1 are targeted for March 27 with fixes for these
    issues.  Customers may immediately update to RedHat-provided patches by
    logging into the AirWave system as 'root' and issuing the command:
        # yum update openssl    
    See https://rhn.redhat.com/errata/RHSA-2015-0715.html for details of the
    RedHat fix.


Obtaining Fixed Software
========================

Aruba customers can obtain software updates on the support website:
	http://support.arubanetworks.com


Aruba Support contacts are as follows:

	+1-800-WiFiLAN (1-800-943-4526) (toll free from within North America)
	
	+1-408-754-1200 (toll call from anywhere in the world)

	The full contact list is at:
	http://www.arubanetworks.com/support-services/support-program/contact-support/

	e-mail: support(at)arubanetworks.com

Please do not contact "sirt(at)arubanetworks.com" for software upgrades.


Revision History
================

	Revision 1 / 2015-Mar-26 / Initial release
	Revision 2 / 2015-Mar-27 / Updated Resolution section


Aruba SIRT Security Procedures
==============================

Complete information on reporting security vulnerabilities in Aruba Networks
products, obtaining assistance with security incidents is available at:

http://www.arubanetworks.com/support-services/security-bulletins/
   
  
For reporting *NEW* Aruba Networks security issues, email can be sent to
sirt(at)arubanetworks.com. For sensitive information we encourage the use of 
PGP encryption. Our public keys can be found at:

http://www.arubanetworks.com/support-services/security-bulletins/


(c) Copyright 2015 by Aruba Networks, Inc.
This advisory may be redistributed freely after the release date given at
the top of the text, provided that redistributed copies are complete and
unmodified, including all date and version information.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJVFbqfAAoJEJj+CcpFhYbZ4T4H/RkZgv+mrgFPslJnY7Ydoyqr
WABHpZ4lgoZYNPBBmbpGnifK1voLzEwGJgCEiam/CcqGTTZQr1hF6ZbzdmCOIq0s
BZKOA1IMbyuEc8fL76vS+D2daRHZK02lklMb+ai1YCdTcZ5nNJ8T7pexY8e9XJeq
4aAUQSVnEUqn9PfA/lXcsnb9Re/Nmr0lf+GlH2t9eml0s27LZHVYGMPlngcahDtb
nyyaXecayL0gkWmGScLvZAvXxtmoXd8OIKBqcGzOSo5MOiVwTpi5mn6BQEnpTcq8
wPRRwzOc+SS1ZzCh+Hiil7thrXp349ZKV5ct+jPRD+XgNwGbaf9FJ8LcOhAmKmg=
=FGgJ
-----END PGP SIGNATURE-----