-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2017-002 CVE: CVE-2017-5638 Publication Date: 2017-Mar-10 Status: Confirmed Revision: 1 Title ===== Apache Struts Remote Code Execution Vulnerability Overview ======== An unauthenticated remote code execution vulnerability in the Apache Struts 2 package has been publicly reported. This advisory details Aruba's exposure to this vulnerability. Affected Products ================= -- ClearPass Policy Manager (all versions) Unaffected Products =================== -- ArubaOS -- Aruba Instant -- AirWave -- ALE -- All Aruba cloud services including Aruba Central and Meridian -- Niara Details ======= On March 7, 2017 the Apache Struts team released new versions of the package to address a security vulnerability. The vulnerability allows an unauthenticated attacker to execute code remotely on a vulnerable system through the use of a specially crafted Content-Type header. The attack code will be executed with the permission of the web server user. Attack tools exist and this vulnerability is being actively exploited. The ClearPass Policy Manager administrative Web interface is affected by the vulnerability. ClearPass Guest, Insight, and Graphite are NOT affected. Severity: CRITICAL CVSSv3 Overall Score: 9.4 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L/E:F/RL:W/RC:C Resolution ========== Aruba will be publishing hotfixes for ClearPass 6.5.7 and 6.6.4 no later than Tuesday, March 14, 2017. Additionally, ClearPass 6.6.5 (target release date of March 22, 2017) will include this fix. Once the hotfix is published, the following methods may be used to install it: Installing the Patch Online Using the Software Updates Portal: 1. Open ClearPass Policy Manager and go to Administration > Agents and Software Updates > Software Updates. 2. In the Firmware and Patch Updates area, find the "ClearPass 6.5.7 Hotfix Patch for CVE-2017-5638" or "ClearPass 6.6.4 Hotfix Patch for CVE-2017-5638" patch and click the Download button in its row. 3. Click Install. 4. When the installation is complete and the status is shown as "Needs Restart", proceed to restart ClearPass. After reboot, the status for the patch will be shown as Installed. The ClearPass Policy Manager version number will not change. Installing the Patch Offline Using the Patch File from support.arubanetworks.com: 1. Download the "ClearPass 6.5.7 Hotfix Patch for CVE-2017-5638" or "ClearPass 6.6.4 Hotfix Patch for CVE-2017-5638" patch from the Support site. 2. Open the ClearPass Policy Manager Admin UI and go to Administration > Agents and Software Updates > Software Updates. 3. At the bottom of the Firmware and Patch Updates area, click Import Updates and browse to the downloaded patch file. The name and description once imported may differ from the name and remark on the support site as these were adjusted after posting. This is purely a cosmetic discrepancy. 4. Click Install. 5. When the installation is complete and the status is shown as Needs Restart, proceed to restart ClearPass. After reboot, the status for the patch will be shown as Installed. The ClearPass Policy Manager version number will not change. Workarounds =========== Restrict access to the Policy Manager Admin Web Interface. This can be accomplished by navigating to Administration >> Server Manager >> Server Configuration >> >> Network >> Restrict Access and only allowing non-public or network management networks. Revision History ================ Revision 1 / 2017-Mar-10 / Initial release Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at: http://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: http://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2017 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, including all date and version information. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJYwy05AAoJEJj+CcpFhYbZm8AH/2EFT782814a9ivnjEkmMCkX jurZFwGmmBAsQ3/LfP6aJ7qOQQwzbzCQ6hH1rCgOlT9FmcJmy5NHXhvRjWwyVWYC 7N3vS+2QJQcai0jx6Nqq6nYyXYZ2AiieXy5Z1OhadQNidBs5Htby9T2QKYkD8f4j czbQKUFRAuwVeTgyW9jXi4UkkP4O5lh/4xjvVg9hw+/rx9VE8Zt/pbe4PHCfny0o BzZZCt/5vP/Vm5dhyV9Z87YgTeYtwTMxDE0u5XYW1zA4H3huw8o+vnmbuqPIzFF6 9SgE5nH1I/lfCOatxRTiT0iFZXED4yC217kXdf0Pds3WVcYmrYTD4phAgWvkcrQ= =A512 -----END PGP SIGNATURE-----