-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2018-001 CVE: CVE-2017-5715, CVE-2017-5753, CVE-2017-5754 Publication Date: 2018-Jan-04 Status: Confirmed Revision: 1 Title ===== Unauthorized Memory Disclosure through CPU Side-Channel Attacks ("Meltdown" and "Spectre") Overview ======== Vulnerabilities exist in multiple modern CPU architectures that could permit an attacker to read the contents of memory. Aruba products are not affected by these vulnerabilities, based on how the products are accessed. Affected Products ================= -- None (see below for details and caveats) Details ======= Full details of the "Meltdown" and "Spectre" vulnerabilities can be found at the following URLs: - https://meltdownattack.com/ - https://googleprojectzero.blogspot.co.at/2018/01/reading-privileged-memory-with-side.html Aruba products are based on a number of different CPU architectures, some of which are affected by the vulnerabilities. However, no Aruba product allows execution of arbitrary code by an unauthorized user. In order to exploit this vulnerability, an attacker would require that ability. Achieving code execution would require the presence of second, unrelated vulnerability, and it is likely that such a vulnerability would already allow compromise of the system without the need for further exploits. Caveats to the statement above: Virtual Appliances: ClearPass Policy Manager, AirWave, Mobility Master, Virtual Mobility Controller, and IntroSpect Packet Processor are all available as virtual appliances, running as guests under a hypervisor. If the hypervisor is vulnerable and untrusted users have access to other guest systems running under the same hypervisor, an attacker may be able to read memory from the Aruba virtual appliance. Contact your virtualization vendor to determine whether updates are available. Aruba 8320/8400: This product provides the ability for authorized administrators to run scripts, which could be used to exploit the vulnerability. However, an administrator with access to run scripts already has full administrative rights and can control any aspect of the system. Thus, the vulnerability does not contribute to any form of information disclosure or privilege escalation. Cloud Products: Aruba's cloud providers supporting products such as Central, Activate, and Meridian have notified Aruba that they are in the process of applying, or have already applied, mitigation patches to their virtualization environments. Resolution ========== No immediate action is required. As part of a defense-in-depth strategy, Aruba will investigate kernel patches, CPU microcode updates, and other mitigations and may deploy these in future software updates. However, some mitigation techniques are known to reduce system performance significantly. Therefore, given the limited security risk, Aruba will take the time to carefully test the impact of any mitigation techniques on scalability before releasing updates. Workarounds =========== No workarounds required. Exploitation and Public Discussion ================================== Aruba is aware of significant public discussion of this issue. Proof of concept code has been published. None of the published code is applicable to Aruba products. Revision History ================ Revision 1 / 2018-Jan-04 / Initial release Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at: http://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public key can be found at: http://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2018 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, including all date and version information. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJaTpF9AAoJEJj+CcpFhYbZUH8IALKycb8fmt9Vc89O7tYdczoy qPhzPGVx/FX8hqGhCNrmBkdctJAkLjozjBPK8AU1uWcW/A5l17qRJoDrxLxGOI3n 9lAAbqsvDBTaDrXgWMiSMeGntfr9V8FUohgy4DuAsyQ+StYJjRUvk8wC+xXhkJ0t LjchrzOGbCrh2WxS2MHZQCxvnPbcpP0SQ84GHHA7mAbyjNG0j0YtCaj+RrHD2/ct PWZb3vAYWqqZvmAeT0jV4Hl9LUdkyDfkxI5J1dFvtqWkWqh1c9WkL1R2MC1RyQkw K9CxSNj5Ks/X54eKu4oiWReBa35vV8UU9YHKmqw6SOAsiBHUcwJr2sFRP9Wxe8c= =dqZf -----END PGP SIGNATURE-----