-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2018-005 CVE: CVE-2018-11776 Publication Date: 2018-Aug-29 Status: Confirmed Revision: 2 Title ===== Apache Struts Vulnerability in ClearPass Policy Manager Overview ======== The Apache Struts group announced Struts version 2.3.35 on August 22, 2018. Included in this update is a fix for one security vulnerability. Aruba ClearPass includes Apache Struts 2.3.34, but in a non-vulnerable configuration. Affected Products ================= None Details ======= Apache Struts versions 2.3 prior to 2.3.35 suffers from a possible Remote Code Execution vulnerability. After examination of the source code and extensive testing using both commercial vulnerability scanners and exploit-specific test scripts, Aruba has determined that ClearPass is not affected by the latest vulnerability in Apache Struts. Resolution ========== In a future software patch, Aruba will update the version of Apache Struts included in ClearPass Policy Manager. However, this will be done as a precaution rather than in response to an actual vulnerability. No immediate action is required. Workarounds =========== As a standard best practice, Aruba recommends that ClearPass administrators restrict access to the Policy Manager Admin Web Interface. This can be accomplished by navigating to Administration >> Server Manager >> Server Configuration >> >> Network >> Restrict Access and only allowing non-public or network management networks. Exploitation and Public Discussion ================================== Aruba is aware of significant public discussion of this issue, and exploit code is reported to exist. Revision History ================ Revision 1 / 2018-Aug-24 / Initial release Revision 2 / 2018-Aug-29 / Updated with "not vulnerable" conclusion Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at: http://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: http://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2018 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAluHbNUACgkQmP4JykWF htlpBQf+O6X/hhsMkMF+dKWWBv6Dj+/WiGUH0kcwFVawU5swIaTptb3kW6O1BS8d 4T1xgkfvdP8qs7SJjNsK0c0qk6vSUUjFUbXjv5sTBaTqVqWvTNOsh2JWx9PKS5wf hxBxVtmVg/ghVsbSFbeNZT2uSA5aDcfL8W7Qr4m5NV4JAOGsf5kVddmW4l+zucir 46F8cP7cVWoYWkLSFLb0xG6nQiz1SV5LY/9R5A0j0Q1gKmD7iSBONPF8ceXpE2Fj 4ckbqXjsYyAP5LJ7Jj5HNXGBApp+H+FfzGwf0f8SkbEJHB/r4KnF/SPVSwzw6V6f 723qM/VrnGMAVSL0l7FMOV8lbkWetQ== =Hvlw -----END PGP SIGNATURE-----