-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2022-006 CVE: CVE-2022-22947, CVE-2022-22963, CVE-2022-22965 Publication Date: 2022-Apr-06 Status: Confirmed Severity: Critical Revision: 1 Title ===== Multiple CVEs involving Spring Cloud and Spring Framework Overview ======== Three CVEs have been published about various vulnerabilities discovered in the Spring Framework and Spring Cloud. Details can be found at: CVE-2022-22947 https://nvd.nist.gov/vuln/detail/CVE-2022-22947 CVE-2022-22963 https://nvd.nist.gov/vuln/detail/CVE-2022-22963 CVE-2022-22965 https://nvd.nist.gov/vuln/detail/CVE-2022-22965 Affected Products ================= -- None Unaffected Products =================== -- AirWave Management Platform -- Aruba Analytics and Location Engine -- Aruba Central / Central On-Premises -- Aruba ClearPass Policy Manager -- Aruba Instant / Aruba Instant Access Points -- Aruba Instant On -- Aruba IntroSpect -- Aruba Fabric Composer (AFC) and Plexxi Composable Fabric Manager (CFM) -- Aruba NetEdit -- Aruba User Experience Insight (UXI) -- ArubaOS Wi-Fi Controllers and Gateways -- ArubaOS SD-WAN Gateways -- ArubaOS-CX Switches -- ArubaOS-S Switches -- HP ProCurve Switches -- Aruba VIA Client -- Silver Peak Orchestrator -- Silver Peak Edge Connect Other Aruba products not listed above are also not known to be affected by the vulnerability. Details ======= No Aruba products have been found to be impacted by the vulnerabilities listed above. Aruba does not usually issue advisories where no action is required but due to the discussion generated by SpringShell we are making an exception. Resolution ========== No action is required. Workaround and Mitigations ========================== No action is required. Exploitation and Public Discussion ================================== More information about CVE-2022-22965 (SpringShell) can be found at https://jfrog.com/blog/springshell-zero-day-vulnerability-all-you-need-to-know/ Discovery ========= Please see the following links for more details: CVE-2022-22947 https://nvd.nist.gov/vuln/detail/CVE-2022-22947 CVE-2022-22963 https://nvd.nist.gov/vuln/detail/CVE-2022-22963 CVE-2022-22965 https://nvd.nist.gov/vuln/detail/CVE-2022-22965 Revision History ================ Revision 1 / 2022-Apr-06/ Initial release Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at: http://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: http://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2022 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQFLBAEBCAA1FiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmJMYFgXHHNpcnRAYXJ1 YmFuZXR3b3Jrcy5jb20ACgkQmP4JykWFhtltQwgArOD1syzSVGt1aW3G4om2rK78 6G8pnDk4r6TcsBqVQwNLUEE2dClmqSKtvWXJOCt++vXw8LUmcRqUpmizVAW/hKSt bEHZWNNazxDWOFi4g1Xpn0i/kQDCJWVjUUeCYps8AnBkQu1k0yL1N78JSIXLALks l+Q3/tnqa7HXvotQJKlmIC2fBA9QtQvE50falcME4EFhbYUXs02q+ssk0rP4whDh ZOlphIn00xHa90UA761ZhoJKFxKwsgTmxU4ZlbxJQWHnTzT+IptPxa//nG0+EkXm LX6611fQIotnjqPaym0STCQa8k/uzusTfUQWbNDMaCFQ5KcfdTzmVvVscaguqA== =w7Os -----END PGP SIGNATURE-----