-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2021-002 CVE: CVE-2021-25141 Publication Date: 2021-Feb-05 Status: Confirmed Revision: 1 Note: Information originally published in https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbnw04082en_us Title ===== HPESBNW04082 rev.1 - HPE and Aruba L2/L3 Switches, Local Denial of Service (DoS) Overview ======== A security vulnerability has been identified in certain HPE and Aruba L2/L3 switch firmware. A data processing error due to improper handling of an unexpected data type in user supplied information to the switch's management interface has been identified. The data processing error could be exploited to cause a crash or reboot in the switch management interface and/or possibly the switch itself leading to local denial of service (DoS). The user must have administrator privileges to exploit this vulnerability. References: CVE-2021-25141 Severity: Medium CVSSv3 Overall Score: 4.2 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H Affected Products ================= SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. Aruba 5400R zl2 Switch Series - Prior to KB.16.10.0012 Aruba 3810M Switch Series - Prior to KB.16.10.0012 Aruba 2930M Switch Series - Prior to WC.16.10.0012 Aruba 2930F Switch Series - Prior to WC.16.10.0012 Aruba 2920 Switch Series - Prior to WB.16.10.0011 Aruba 2540 Switch Series - Prior to YC.16.10.0012 Aruba 2530 Switch Series Aruba 2530YA prior to YA.16.10.0012 Aruba 2530YB prior YB.16.10.0012 Aruba 5400 zl Switch Series - Prior to K.16.02.0032 Aruba 3800 Switch Series - Prior to KA.16.04.0022 Aruba 2620 Switch Series - Prior to RA.16.04.0022 HPE 8200 zl Switch Series - Prior to K.15.18.0024 HPE 6200 yl Switch Series - Prior to K.15.18.0024 HPE 3500 and 3500 yl Switch Series - Prior to K.16.02.0032 Resolution ========== HPE Aruba has released software updates to resolve this vulnerability in certain HPE and Aruba L2/L3 switch products. Please visit the Aruba Support Portal or the HPE My Networking Portal to download the latest firmware and software updates for the following products: Aruba 5400 zl2 Switch Series - KB.16.10.0012 Aruba 3810M Switch Series - KB.16.10.0012 Aruba 2930M Switch Series - WC.16.10.0012 Aruba 2930F Switch Series - WC.16.10.0012 Aruba 2920 Switch Series - WB.16.10.0011 Aruba 2540 Switch Series - YC.16.10.0012 Aruba 2530YB Switch Series - YB.16.10.0012 Aruba 2530YA Switch Series - YA.16.10.0012 Aruba 5400 zl Switch Series - K.16.02.0032 Aruba 3800 Switch Series - KA.16.04.0022 Aruba 2620 Switch Series - RA.16.04.0022 HPE 8200 zl Switch Series - K.15.18.0024 HPE 6200 yl Switch Series - K.15.18.0024 HPE 3500 and 3500 yl Switch Series - K.16.02.0032 Workaround ========== None. Revision History ================ Revision 1 / 2021-Feb-05 / Initial release Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at: http://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: http://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2021 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmAZ7ggACgkQmP4JykWF htmWmgf/RktnApR1zkP8xXaBESDLGh6hT3PwPtl4P0CJ/Z3Ac2KofqEH/9U9wZH5 veExEofRPa8evKHPA4xj8aqk20kREg7xhACbY+465yigeMkKRyaOyAF6sdAWt0Yu QKG1fI2uhwtlUykBdGOJ/MUlLXUkaYXh5TbWccaeRwux5VXBNPsqfXeigxwyolIR myQY1HxrbqUyiQUzaCJ9jH14weLp/Iaj75pMzWy+MIjsL1eYbsNy2AHgytPoRWM1 6DP/mv+q1MjJWLpEToaTVNJRG+SQvgwednOIowtBSMgUljrXkUqkx38kLnL7J7MI 6Jdw0e5u0XvzGcd1QkHYL/pQr87vAw== =S4Xs -----END PGP SIGNATURE-----