-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2015-007 CVE: CVE-2015-0286, CVE-2015-0289, CVE-2015-0209, CVE-2015-0292 Publication Date: 2015-Mar-26 Status: Preliminary Revision: 2 Public location: http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2015-007.txt Title ===== OpenSSL Multiple Vulnerabilities (19 March 2015) Overview ======== Multiple vulnerabilities exist in OpenSSL. For more details, see the original OpenSSL advisory at https://www.openssl.org/news/secadv_20150319.txt. This is a preliminary advisory - revisions will be posted as new information becomes available. Affected Aruba Products ======================= -- ArubaOS (all versions) -- ClearPass Policy Manager 6.4.x -- ClearPass Policy Manager 6.5.x -- AirWave 7.x prior to 7.7.14.3 -- AirWave 8.x prior to 8.0.7.1 Unaffected Aruba Products ========================= -- Aruba Instant -- VIA -- Meridian -- Aruba Central Details ======= Multiple Aruba products make use of OpenSSL to varying extents. The following vulnerabilities affect all "Affected Aruba Products" listed above: - Segmentation fault in ASN1_TYPE_cmp (CVE-2015-0286) Severity: Moderate - PKCS7 NULL pointer dereferences (CVE-2015-0289) Severity: Aruba classifies the severity as "low" as this functionality could only be accessed by an authenticated administrator. - Use After Free following d2i_ECPrivatekey error (CVE-2015-0209) Severity: Aruba classifies the severity as "low" as this functionality could only be accessed by an authenticated administrator. - Base64 decode (CVE-2015-0292) Severity: Moderate The vulnerabilities above all impact availability. There is no impact to confidentiality or integrity from these vulnerabilities. The following vulnerabilities DO NOT affect any Aruba product: - OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291) - RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204) - Multiblock corrupted pointer (CVE-2015-0290) - Segmentation fault in DTLSv1_listen (CVE-2015-0207) - Segmentation fault for invalid PSS parameters (CVE-2015-0208) - ASN.1 structure reuse memory corruption (CVE-2015-0287) - DoS via reachable assert in SSLv2 servers (CVE-2015-0293) - Empty CKE with client auth and DHE (CVE-2015-1787) - Handshake with unseeded PRNG (CVE-2015-0285) - X509_to_X509_REQ NULL pointer deref (CVE-2015-0288) Resolution ========== Aruba will provide software updates to fix these issues. At the time of this writing, some information is preliminary or unavailable. This advisory will be updated as new information becomes available. - ArubaOS The following patches will be released to address this issue: 6.3.1.16 (target date April 3) 6.4.2.6 (target date April 9) This issue is being tracked by bug 115019. Note: ArubaOS 5.x, 6.1.x, and 6.2.x are no longer being actively developed, and security patches are produced by default only for high-severity issues. Customers who require patches for older versions should contact Aruba Technical Support to make that request. - ClearPass ClearPass 6.5.1 will address this issue (target date April 10) The patch schedule for ClearPass 6.4.x is still being determined. - AirWave Version 7.7.14.3 and 8.0.7.1 are targeted for March 27 with fixes for these issues. Customers may immediately update to RedHat-provided patches by logging into the AirWave system as 'root' and issuing the command: # yum update openssl See https://rhn.redhat.com/errata/RHSA-2015-0715.html for details of the RedHat fix. Obtaining Fixed Software ======================== Aruba customers can obtain software updates on the support website: http://support.arubanetworks.com Aruba Support contacts are as follows: +1-800-WiFiLAN (1-800-943-4526) (toll free from within North America) +1-408-754-1200 (toll call from anywhere in the world) The full contact list is at: http://www.arubanetworks.com/support-services/support-program/contact-support/ e-mail: support(at)arubanetworks.com Please do not contact "sirt(at)arubanetworks.com" for software upgrades. Revision History ================ Revision 1 / 2015-Mar-26 / Initial release Revision 2 / 2015-Mar-27 / Updated Resolution section Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at: http://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to sirt(at)arubanetworks.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: http://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2015 by Aruba Networks, Inc. This advisory may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, including all date and version information. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJVFbqfAAoJEJj+CcpFhYbZ4T4H/RkZgv+mrgFPslJnY7Ydoyqr WABHpZ4lgoZYNPBBmbpGnifK1voLzEwGJgCEiam/CcqGTTZQr1hF6ZbzdmCOIq0s BZKOA1IMbyuEc8fL76vS+D2daRHZK02lklMb+ai1YCdTcZ5nNJ8T7pexY8e9XJeq 4aAUQSVnEUqn9PfA/lXcsnb9Re/Nmr0lf+GlH2t9eml0s27LZHVYGMPlngcahDtb nyyaXecayL0gkWmGScLvZAvXxtmoXd8OIKBqcGzOSo5MOiVwTpi5mn6BQEnpTcq8 wPRRwzOc+SS1ZzCh+Hiil7thrXp349ZKV5ct+jPRD+XgNwGbaf9FJ8LcOhAmKmg= =FGgJ -----END PGP SIGNATURE-----