-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2021-003 CVE: CVE-2020-27337 Publication Date: 2021-Feb-05 Last Updated: 2021-Mar-17 Status: Confirmed Revision: 2 Note: Information originally published in https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbnw04083en_us Title ===== HPESBNW04083 rev.2 - HPE and Aruba L2/L3 Switches, Remote Memory Corruption Overview ======== A potential security vulnerability has been identified in certain HPE and Aruba L2/L3 switches. The vulnerability could be remotely exploited to cause memory corruption. References: CVE-2020-27337 Severity: High CVSSv3 Overall Score: 7.3 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Affected Products ================= SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. Aruba 5400R zl2 Switch Series Prior to KB.16.10.0012, KB.16.09.0015, KB.16.08.0019 Aruba 3810M Switch Series Prior to KB.16.10.0012, KB.16.09.0015, KB.16.08.0019 Aruba 2930M Switch Series Prior to KB.16.10.0012, KB.16.09.0015, KB.16.08.0019 Aruba 2930F Switch Series Prior to KB.16.10.0012, KB.16.09.0015, KB.16.08.0019 Aruba 2920 Switch Series Prior to KB.16.10.0012, KB.16.09.0015, KB.16.08.0019 Aruba 2540 Switch Series Prior to KB.16.10.0012, KB.16.09.0015, KB.16.08.0019 Aruba 2530 Switch Series Aruba 2530YA Prior to YA.16.10.0012, YA.16.09.0015, YA.16.08.0019 Aruba 2530YB prior YB.16.10.0012 Prior to YB.16.10.0012, YB.16.09.0015, YB.16.08.0019 Aruba 5400 zl Switch Series - Prior to K.16.02.0032 Aruba 3800 Switch Series - Prior to KA.16.04.0022 Aruba 2915 Switch Series - Prior to A.15.16.0023 Aruba 2620 Switch Series - Prior to RA.16.04.0022 Aruba 2615 Switch Series - Prior to A.15.16.0023 HPE 8200 zl Switch Series - Prior to K.15.18.0024 HPE 6200 yl Switch Series - Prior to K.15.18.0024 HPE 3500 and 3500 yl Switch Series - Prior to K.16.02.0032 Resolution ========== HPE Aruba has released software updates to resolve this vulnerability in certain HPE and Aruba L2/L3 switch products. Please visit the Aruba Support Portal or the HPE My Networking Portal to download the latest firmware and software updates for the following products: Aruba 5400 zl2 Switch Series KB.16.10.0012 KB.16.09.0015 KB.16.08.0019 Aruba 3810M Switch Series KB.16.10.0012 KB.16.09.0015 KB.16.08.0019 Aruba 2930M Switch Series WC.16.10.0012 WC.16.09.0015 WC.16.08.0019 Aruba 2930F Switch Series WC.16.10.0012 WC.16.09.0015 WC.16.08.0019 Aruba 2920 Switch Series WB.16.10.0011 WB.16.09.0015 WB.16.08.0019 Aruba 2540 Switch Series YC.16.10.0012 YC.16.09.0015 YC.16.08.0019 Aruba 2530YB Switch Series YB.16.10.0012 YB.16.09.0015 YB.16.08.0019 Aruba 2530YA Switch Series YA.16.10.0012 YA.16.09.0015 YA.16.08.0019 Aruba 5400 zl Switch Series K.16.02.0032 Aruba 3800 Switch Series KA.16.04.0022 Aruba 2915 Switch Series A.15.16.0023 Aruba 2620 Switch Series RA.16.04.0022 Aruba 2615 Switch Series A.15.16.0023 HPE 8200 zl Switch Series K.15.18.0024 HPE 6200 yl Switch Series K.15.18.0024 HPE 3500 and 3500 yl Switch Series K.16.02.0032 Workaround ========== This vulnerability, CVE-2020-27337, only affects the IPv6 TCP/IP stack. If IPv6 is not used, the switch is not affected by this vulnerability. IPv6 on VLAN 1 is enabled by default. HPE and Aruba recommend disabling IPv6 on VLAN 1 if it is not used. Please refer to your Aruba switch product's Management and Configuration Guide for specific commands. If you need further configuration assistance, please contact HPE/Aruba Technical Support. Revision History ================ Revision 1 / 2021-Feb-05 / Initial release Revision 2 / 2021-Mar-17 / Added more information to the Vulnerability Summary section, a workaround in the Vulnerability Resolution section, and branch release information Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at: http://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: http://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2021 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmBPx14ACgkQmP4JykWF htm/vwgArt8PDD2utXSBS8WxtnxyvlUbipOA/bFv9zdmF6laETelF3oHEYBBraa+ kvpdXvYRdI3P7yU48+QjNxHl8ra+vn5Nf5MQFmNn8qhYatPcXHWN/bn/eoNv2fEt NNYcOu+/6Xe+A8XDTfE6hmuYfZpVhYY+aGAJVnvTuO5b9PVXuS/28Oar2PmMqYl0 hwy20YmMRJ+5ZTbTr1A0wmCe8oYcLws5rAhVSQ79JyYk4uiiGHZDp5CHZqXOF0bH gCnYjAvxULSZBQBudWhBoBxdsycRJzWrKQfrbqCiGCvR8BpJyGDB9pS49+pMzLJZ jFGxLjEs9jRd6v3r7FI64jlXr7aoXQ== =gQvs -----END PGP SIGNATURE-----