-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Aruba Product Security Advisory 
=============================== 
Advisory ID: ARUBA-PSA-2020-008 
CVE: CVE-2020-7119
Publication Date: 2020-Sep-01
Status: Confirmed 
Revision: 1 
 
 
Title 
===== 
Authenticated arbitrary file modification vulnerability  in  Analytics
and Location Engine (ALE)
 

Overview 
======== 
Aruba has released an update to Analytics  and  Location  Engine  (ALE)
that addresses a high  severity  vulnerability in  the  Web  Management
Interface of this product.
 
 
Affected Products 
================= 
This vulnerability affects Analytics and Location Engine (ALE).
The following firmware versions  for  the  aforementioned  product  are
affected:

ALE 2.1.0.* prior to 2.1.0.3
ALE 2.0.0.*


Details 
======= 
A vulnerability exists in the web management interface that  allows  an 
already authenticated administrative user to arbitrarily  modify  files
as an underlying privileged operating system user. 
  
Internal reference: ATLWL-141
Severity: High
CVSSv3 Overall Score: 7.2
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
 

Resolution 
========== 
This vulnerability is resolved by updating to  the  following  firmware
version: 
 - 2.1.0.3 and higher
 

Discovery 
=========
Aruba would like to thank the following researcher for discovering  and 
reporting this vulnerability: 
Duc Anh Nguyen
 

Workarounds 
===========
None.

 
 
Exploitation and Public Discussion 
================================== 
Aruba is not aware of any public discussion or exploit code related  to
this issue. 
 
 
Revision History 
================ 
 
Revision 1 / 2020-Sep-01 / Initial Release
 
 
Aruba SIRT Security Procedures 
==============================
Complete information on reporting  security  vulnerabilities  in  Aruba
Networks products, obtaining  assistance  with  security  incidents  is
available at: 
 
http://www.arubanetworks.com/support-services/security-bulletins/ 
 
 
For reporting *NEW* Aruba Networks security issues, email can  be  sent
to aruba-sirt(at)hpe.com. For sensitive information  we  encourage  the
use of PGP encryption. Our public keys can be found at: 
 
http://www.arubanetworks.com/support-services/security-bulletins/ 
 
 
(c) Copyright 2020 by Aruba, a Hewlett Packard Enterprise company. 
This advisory may be redistributed freely after the release date  given 
at the top of the text, provided  that  the  redistributed  copies  are 
complete and unmodified, including all data and version information. 
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAl9GwXMACgkQmP4JykWF
htmS0Af/UsD3Q83IRPMQmDEbAPHWFXnUutKsUEug1/eXQMZ5sZy8yahcZ97YuXSw
51Dmdjpr07qHiqjEYfRsRQ5Md+ojFNZdd2wtLXUgqjY1hJq8qWQuBP0bMqbquGC0
FEiw7OjoXDDYW0sgG94KRll0sKmPEMHBX1/O65YDEhZiQoPntJSYUs0FqJxiqdkc
oBvKk7mhH7U15F6YrcRdJOZiWAbqzGiWEt0fGBQYshA0GJGQBk+ia+Exa9Nl7GEr
HIsfkH+qdxUQodkbFl2LYoO/FGQGInWFnh8liP3SU0w/pucTPpTmhh6QVoM5kL8X
6pOgrzUhyDZw1m1vOiCAlujTr0mDKQ==
=JNIe
-----END PGP SIGNATURE-----