-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Aruba Product Security Advisory
===============================

Advisory ID: ARUBA-PSA-2016-001
CVE: CVE-2015-7547
Publication Date: 2015-Feb-18
Status: Confirmed
Revision: 2



Title
=====
glibc getaddrinfo() Stack-Based Buffer Overflow
 

Overview
========
A security vulnerability in the GNU C library is having widespread impact in the IT product
vendor community.  Aruba Networks is affected by this vulnerability and will be issuing
multiple software updates.

The original announcement may be found at the following URL:
https://googleonlinesecurity.blogspot.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html


Affected Products
=================

 -- ClearPass up to, but not including, 6.5.6 and 6.6
 -- AirWave (all versions)
 -- Aruba 7xxx controllers running versions up to, but not including, 6.3.1.21, 6.4.2.16, 6.4.3.7, and 6.4.4.5
 -- Cloud products (Activate, Central)

Unaffected Products
===================

 -- Aruba Instant
 -- Aruba VIA
 -- Aruba 6xx, 3xxx, M3, and other legacy mobility controllers (all software versions)
 -- Mobility Access Switch


Details
=======
An attacker with the ability to answer a DNS query coming from an affected Aruba product
could craft the response in a way that would cause a software crash.  Whether or not
the software crash would be fatal to the overall function of the product is still under
investigation.

Google has internally demonstrated remote code execution based on this vulnerability.
Attacks that achieve remote code execution must normally be highly customized to a
specific application.  The potential for remote code execution within affected Aruba
products is currently unknown.


Workarounds
===========
The vulnerability is triggered through receipt of a malicious crafted DNS response. The
following measures may provide mitigation against attacks:

1. Tightly control which DNS servers Aruba products are allowed to communicate with.
   Configure those DNS servers to limit responses to less than 2048 bytes for TCP
   and 512 bytes for UDP.
2. Prevent man-in-the-middle attacks between Aruba products and DNS servers by employing
   physical and network security best practices


Resolution
==========
The vulnerability will be addressed in the following versions:

 -- ArubaOS 6.3.1.21, 6.4.2.16, 6.4.3.7, and 6.4.4.5
 -- ClearPass 6.5.6 and 6.6
 -- AirWave may be updated immediately by logging into a root shell and running 
    "yum update glibc".  AirWave patches will also be published
 -- Cloud-based products are in the process of being updated



Obtaining Fixed Software
========================

Aruba customers can obtain software updates on the support website:
	http://support.arubanetworks.com


Aruba Support contacts are as follows:

	+1-800-WiFiLAN (1-800-943-4526) (toll free from within North America)
	
	+1-408-754-1200 (toll call from anywhere in the world)

	The full contact list is at:
	http://www.arubanetworks.com/support-services/support-program/contact-support/

	e-mail: support(at)arubanetworks.com

Please do not contact "sirt(at)arubanetworks.com" for software upgrades.


Revision History
================

      Revision 1.0 / 2016-Feb-18 / Initial release
      Revision 1.1 / 2016-Feb-19 / Updated to include ArubaOS 6.3


Aruba SIRT Security Procedures
==============================

Complete information on reporting security vulnerabilities in Aruba Networks
products, obtaining assistance with security incidents is available at:

http://www.arubanetworks.com/support-services/security-bulletins/
   
  
For reporting *NEW* Aruba Networks security issues, email can be sent to
sirt(at)arubanetworks.com. For sensitive information we encourage the use of 
PGP encryption. Our public keys can be found at:

http://www.arubanetworks.com/support-services/security-bulletins/


(c) Copyright 2016 by Aruba, a Hewlett Packard Enterprise company
This advisory may be redistributed freely after the release date given at
the top of the text, provided that redistributed copies are complete and
unmodified, including all date and version information.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJWx1aSAAoJEJj+CcpFhYbZACEH+gLbrWXZ+kpqxIYMX388GcqA
0luq2IwX8wlp0KaCysKVvJnHnPyDQWMLQ4Ji0juBkISyzTP7W848OysOkpi9bC+x
ERVW49L3Tj1m+Nlc9cdEZuOMwQUSj3ItZsRiLBkXVpcig6+TFVbXctUPnzc+DDKX
McpuTkBGYHtzjZzIL8dNV4oegx2fD6MJsxfiLQtLgQ78cElObuYgsMeqzYElcSW2
uZvYW6HrXRU5hRhnYEeb/CNqgbxKcGVYye8CofMfZCPjUPPeTa4ItnPxoAznorRg
VBlA3h86ehMRezzye+TFDyqC/xPP6TTzd0Fb5L18aUOT43ZYrt1FVzzNSekLhsI=
=TSim
-----END PGP SIGNATURE-----