-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2022-009 CVE: CVE-2022-0778 Publication Date: 2022-May-04 Last Update: 2022-Jul-21 Status: Confirmed Severity: High Revision: 3 Title ===== Faulty OpenSSL Handling of Certificates Containing Elliptic Curve Public Keys Leading to Denial of Service Overview ======== A CVE has been disclosed that involves the faulty handling of certain certificates by OpenSSL. This CVE impacts multiple Aruba products. Details can be found at: https://nvd.nist.gov/vuln/detail/CVE-2022-0778 Affected Products ================= - AirWave Management Platform - 8.2.14.0 and below - Aruba Analytics and Location Engine - 2.2.0.2 and below - Aruba Fabric Composer (AFC) and Plexxi Composable Fabric Manager (CFM) - 6.2.0 and below - Aruba Central On-Premises - 2.5.4.x and below - Aruba ClearPass Policy Manager - 6.10.4 and below - 6.9.10 and below - 6.8.9 without Hotfix for Q1 2022 Security issues - ArubaOS-CX Switches - 10.09.1010 and below - 10.08.1050 and below - 10.07.0070 and below - 10.06.0190 and below - ArubaOS Wi-Fi Controllers and Gateways - ArubaOS SD-WAN Gateways - ArubaOS 6.5.x: 6.5.4.23 and below - ArubaOS 8.6.x: 8.6.0.18 and below - ArubaOS 8.7.x: 8.7.1.9 and below - ArubaOS 8.10.x: 8.10.0.1 and below - ArubaOS 10.3.x: 10.3.1.0 and below - SDWAN 2.X: 8.7.0.0-2.3.0.7 and below - Aruba IntroSpect - All versions - Aruba will not be issuing patches for this issue. Please see the workaround section below for suggested workarounds. - Aruba InstantOS / Aruba Access Points running ArubaOS 10 - Aruba InstantOS 8.6.x: 8.6.0.18 and below - Aruba InstantOS 8.7.x: 8.7.1.9 and below - Aruba InstantOS 8.10.x: 8.10.0.1 and below - ArubaOS 10.3.x: 10.3.1.0 and below - Please note that 6.x is not affected - Aruba Instant On switches - models 1830, 1930 and 1960 with locally managed firmware - 2.5.0.x and below - Aruba NetEdit - 2.3.0 and below - Aruba EdgeConnect Enterprise - ECOS 9.1.1.3 and below - ECOS 9.0.6.0 and below - ECOS 8.3.6.0 and below - Impact of this vulnerability on ECOS is very low. - Aruba EdgeConnect Enterprise Orchestrator (on prem) - See resolution section for details Unaffected Products =================== - ArubaOS-S Switches - Aruba User Experience Insight (UXI) - Aruba VIA Client - Aruba EdgeConnect Enterprise Orchestrator-as-a-Service - Aruba EdgeConnect Enterprise Orchestrator-SP - Aruba EdgeConnect Enterprise Orchestrator Global Enterprise Other Aruba products not listed above are also not known to be affected by the vulnerability. Details ======= A vulnerability has been identified in a commonly used component in multiple Aruba products. This vulnerability allows attackers to use specially crafted certificates resulting in denial of service. Details can be found at: https://nvd.nist.gov/vuln/detail/CVE-2022-0778 Internal references: ATLCP-184, ATLAW-182, ATLWL-281, ATLWL-282, ATLWL-283, ATLWL-284, ATLWL-285, ATLWL-286, ATLWL-287, ATLWL-288, ATLWL-289, ATLAX-56, ATLAX-57, ATLAX-58, ATLWL-290, ATLWL-291, ATLWL-310 Severity: High CVSSv3.1 Overall Score: 7.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Aruba Threat Labs analyzed and tested this vulnerability in the products using the affected component. What has been found is that exploitation of this vulnerability is not straightforward and dependent upon many factors that an attacker may not be able to control. Aruba has chosen to keep the NVD provided severity score as a reference. The impact on products using the affected component is very low based on ongoing testing. Resolution ========== - AirWave Management Platform - 8.2.14.1 and above - Aruba Analytics and Location Engine - 2.2.0.3 and above Release ETA - late July 2022 - Aruba Fabric Composer (AFC) and Plexxi Composable Fabric Manager (CFM) - 6.2.1 and above - Aruba Central On-Premises - 2.5.5.0 and above Release ETA - late July 2022 - Aruba ClearPass Policy Manager - 6.10.5 and above - 6.9.11 and above - 6.8.9 with Hotfix for Q1 2022 Security issues applied - ArubaOS-CX Switches - 10.09.1020 and above - 10.08.1060 and above - 10.07.0080 and above - 10.06.0200 and above - ArubaOS Wi-Fi Controllers and Gateways - ArubaOS SD-WAN Gateways - ArubaOS 6.5.x: 6.5.4.24 and above Release ETA - late August 2022 - ArubaOS 8.6.x: 8.6.0.19 and above Release ETA - early September 2022 - ArubaOS 8.7.x: 8.7.1.10 and above Release ETA - late July 2022 - ArubaOS 8.10.x: 8.10.0.2 and above - ArubaOS 10.3.x: 10.3.1.1 and above Release ETA - early August 2022 - SDWAN 2.3: 8.7.0.0-2.3.0.8 and above Release ETA - late July 2022 - Aruba InstantOS / Aruba Access Points running ArubaOS 10 - Aruba InstantOS 8.6.x: 8.6.0.19 and above Release ETA - early September 2022 - Aruba InstantOS 8.7.x: 8.7.1.10 and above Release ETA - late July 2022 - Aruba InstantOS 8.10.x: 8.10.0.2 and above - ArubaOS 10.3.x: 10.3.1.1 and above Release ETA - early August 2022 - Aruba Instant On switches - models 1830, 1930 and 1960 with locally managed firmware - 2.6.0 and above - firmware may be found at https://community.arubainstanton.com/support/documentation/support-documentation-list?CommunityKey=26af222f-d9da-43cb-a665-cba6c273756c - Aruba NetEdit - 2.4.0 and above - Aruba EdgeConnect Enterprise - ECOS 9.1.1.4 and above - ECOS 9.0.7.0 and above - ECOS 8.3.7.0 and above - Impact of this vulnerability on ECOS is very low. Fixes will be applied only to the ECOS versions that are listed above due to the minimal risk involved. - Aruba EdgeConnect Enterprise Orchestrator (on prem) - Customers are suggested to run ‘yum update openssl’ from the administrative command line to address this vulnerability; to verify if the patch has been applied, run “rpm -q --info openssl”. If the output says “25.el7_9” as part of the version, the patch is applied. - OR - - Upgrading (from 9.0.6 or later) to any newer Orchestrator version automatically updates expat and resolves this vulnerability. - New virtual machine images already have the fix for this vulnerability. - Customers using Fedora must upgrade to CentOS for support of security updates. Please contact Customer Support for the procedure Aruba does not evaluate or patch product versions that have reached their End of Support (EoS) milestone. For more information about Aruba's End of Support policy visit: https://www.arubanetworks.com/support-services/end-of-life/ Workaround ========== To minimize the likelihood of an attacker exploiting this vulnerability, Aruba recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above Exploitation and Public Discussion ================================== These vulnerabilities are being widely discussed in public. Aruba is not aware of any exploitation tools or techniques that specifically target Aruba products. Revision History ================ Revision 1 / 2022-May-04 / Initial release Revision 2 / 2022-Jun-01 / AOS-S investigation completed and marked as unaffected. AOS-CX information added. Aruba UXI investigation completed and marked as unaffected. EdgeConnect and Orchestrator information added. NetEdit information added. ClearPass Policy Manager information added. End of Support information added. Revision 3 / 2022-Jul-21 / Aruba Location Engine information added. Aruba InstantOn information added. Aruba Central On-Premises information added. Aruba Introspect information added. Aruba InstantOS and InstantOS AP information added ArubaOS Wi-Fi Controllers and Gateways information added ArubaOS SD-WAN Gateways information added Removed products under investigation section Marked status as confirmed Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products and obtaining assistance with security incidents is available at: https://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: https://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2022 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQFLBAEBCAA1FiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmLVYP8XHHNpcnRAYXJ1 YmFuZXR3b3Jrcy5jb20ACgkQmP4JykWFhtkAhAf9G56YHe8WcQ8fXjvUnLUS9kUO IqSigVjok2vs+FfWLg0QQ73gyv9oKYEuUFkATgw8SHVWhJJkGlXlDVJc0H0cvcqX DkIUAX300wBzKgT4Wz1EFXTBB5RNt1oBEdih4eTZFgjlntY6KTE+NGOgX5aSuGPa vycxOd9T7peCQK1f5kP3ZpUvgnC5WmSsu2N+GUuKI0Wmc7Ow/enBcZMysn/RZrWO nw3N3uS/Ry08MzozUTfKKh9ONWLl6SLdN2kUL9x7ThKAOB/bd2f8jHn7niHApfEL iXwXxkWOVVnKrYgDvG73OeK9WpQw7cL4q7NJv1kSLbCHsIadesYD8wozo32qBA== =iynw -----END PGP SIGNATURE-----