-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory  ===============================  Advisory ID: ARUBA-PSA-2020-001  CVE: CVE-2019-5322   Publication Date: 2020-Feb-12 Status: Confirmed  Revision: 2        Title  =====  Information Disclosure in Web Management Interface for Aruba Intelligent Edge Switches.       Overview  ========  An information disclosure vulnerability is present in Aruba Intelligent Edge Switches which allows an attacker to retrieve sensitive system information. This attack can be carried out without user authentication under very specific conditions.       Affected Products  =================  This vulnerability affects Aruba Intelligent Edge Switches: 5400R 3810 2920 2930 2530 with GigT Port 2530 10/100 port 2540 The following firmware versions for the aforementioned products are affected: 16.08.* before 16.08.0009 16.09.* before 16.09.0007 16.10.* before 16.10.0003 Details  =======  An information disclosure vulnerability exists in the web management interface for affected switches. This vulnerability could be used to retrieve sensitive system information by sending a specially crafted packet to the Web Management Interface. The vulnerability can only be exploited to retrieve system information under very specific conditions. If those conditions are met, the vulnerability can be exploited without authentication.        Internal reference: ASIRT-89     Severity: HIGH      CVSSv3 Overall Score: 7.5     CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N      Resolution  ==========  This vulnerability is resolved by updating to the following firmware versions:    - 16.08.0009 - 16.09.0007 - 16.10.0003    Discovery  =========  Aruba would like to thank the following researcher for discovering and   reporting this vulnerability:   - Alexis La Goutte       Workarounds  ===========  If updating to the latest version is not possible, disable web management where possible. If you need assistance disabling web management, contact Aruba support. Another workaround is isolating the switch web management interface using network segmentation techniques.       Exploitation and Public Discussion  ==================================  Aruba is not aware of any public discussion or exploit code related to this issue.        Revision History  ================     Revision 1 / 2020-Feb-11 / Initial Release     Revision 2 / 2020-Feb-12 / Additional Workaround Information       Aruba SIRT Security Procedures  ==============================  Complete information on reporting security vulnerabilities in Aruba Networks  products, obtaining assistance with security incidents is available at:     http://www.arubanetworks.com/support-services/security-bulletins/        For reporting *NEW* Aruba Networks security issues, email can be sent to  aruba-sirt(at)hpe.com. For sensitive information we encourage the use of  PGP encryption. Our public keys can be found at:     http://www.arubanetworks.com/support-services/security-bulletins/        (c) Copyright 2020 by Aruba, a Hewlett Packard Enterprise company.  This advisory may be redistributed freely after the release date given   at the top of the text, provided that the redistributed copies are   complete and unmodified, including all data and version information.  -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAl5EaEAACgkQmP4JykWF htkVHAgAkBH4dL5Lvehmr83tllDtTijLAVYom88WFDZizg9eUzyVac5rjlYD87f/ 9WT3dYIY78v5cvQcmJHEou14glT9bopcINw2zk9g1WD7Tt4yEnyJc43oazp+y275 U4bwV2PHPTpm7uZ4VokMJdyhNA2LJQcyL9O+fqKJTNkjpTidSlWZQewDeQGAGSGP B1aCBLqCaKW3S1YdHy0sJrqmLgdS+mYE88VCjwbrwaPwydHUSGVNOMGNoE5F3Pub RiOrwR961v4d0vj+EZQHrMfOGmaLdQF3Yw9c3U2H6jQ48QWOGE5ABdrqb6ZQZF+e LnXINYL2a6Ary9YnaeGwO34A/AlfEg== =c0fI -----END PGP SIGNATURE-----