-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2022-010 CVE: CVE-2022-25235, CVE-2022-25236, CVE-2022-25313, CVE-2022-25314, CVE-2022-25315 Publication Date: 2022-May-17 Last Update: 2022-Jul-21 Status: Confirmed Severity: Critical Revision: 4 Title ===== Multiple Vulnerabilities in Expat XML processing library Overview ======== Multiple CVEs have been disclosed that involve the faulty handling of XML input by the Expat application and library. These CVEs impact multiple Aruba products. Details can be found at: https://nvd.nist.gov/vuln/detail/CVE-2022-25235 https://nvd.nist.gov/vuln/detail/CVE-2022-25236 https://nvd.nist.gov/vuln/detail/CVE-2022-25313 https://nvd.nist.gov/vuln/detail/CVE-2022-25314 https://nvd.nist.gov/vuln/detail/CVE-2022-25315 Affected Products ================= - AirWave Management Platform - 8.2.14.0 and below - Aruba Analytics and Location Engine - 2.2.0.2 and below - Aruba Fabric Composer (AFC) and Plexxi Composable Fabric Manager (CFM) - 6.2.0 and below - Aruba Central On-Premises -2.5.4.x and below - Aruba ClearPass Policy Manager - 6.10.4 and below - 6.9.10 and below - 6.8.9 without Hotfix for Q1 2022 Security issues - ArubaOS-CX Switches - 10.09.1030 and below - 10.08.1060 and below - 10.07.0070 and below - 10.06.0200 and below - ArubaOS Wi-Fi Controllers and Gateways - ArubaOS SD-WAN Gateways - Please note that this only affected controllers and gateways based on the x86 architecture This includes the following models - Aruba 9000 Series Controllers - Aruba 9200 Series Controllers - Aruba Virtual Mobility Controllers - Aruba Virtual and Hardware-based Mobility Conductors -The affected code versions are as follows - ArubaOS 8.6.x: 8.6.0.18 and below - ArubaOS 8.7.x: 8.7.1.9 and below - ArubaOS 8.10.x: 8.10.0.2 and below - ArubaOS 10.3.x: 10.3.1.0 and below - SDWAN 2.X: 8.7.0.0-2.3.0.7 and below - Aruba EdgeConnect Enterprise - ECOS 9.1.1.3 and below - ECOS 9.0.6.0 and below - ECOS 8.3.6.0 and below - Impact of this vulnerability on ECOS is very low. - Aruba EdgeConnect Enterprise Orchestrator (on-premises) - See resolution section for details - Aruba Virtual Intranet Access (VIA) - Affects macOS/OSX versions only. Others are unaffected - 4.3.0 and below Unaffected Products =================== - Aruba Instant / Aruba Instant Access Points - Aruba Instant On - Aruba IntroSpect - Aruba NetEdit - Aruba User Experience Insight (UXI) - ArubaOS-S Switches - Aruba EdgeConnect Enterprise Orchestrator-as-a-Service - Aruba EdgeConnect Enterprise Orchestrator-SP - Aruba EdgeConnect Enterprise Orchestrator Global Enterprise Other Aruba products not listed above are also not known to be affected by these vulnerabilities. Details ======= Vulnerabilities have been identified in a commonly used component in multiple Aruba products. These vulnerabilities allow attackers to use specially crafted XML input to potentially cause denial of service conditions or remote code execution. Details can be found at: https://nvd.nist.gov/vuln/detail/CVE-2022-25235 https://nvd.nist.gov/vuln/detail/CVE-2022-25236 https://nvd.nist.gov/vuln/detail/CVE-2022-25313 https://nvd.nist.gov/vuln/detail/CVE-2022-25314 https://nvd.nist.gov/vuln/detail/CVE-2022-25315 Internal references: ATLCP-191, ATLAX-60, ATLWL-293, ATLWL-183, ATLWL-292, ATLWL-192, ATLSP-1 CVSS Vectors and Scores provided by NVD as follows: CVE-2022-25235 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - 9.8 critical CVE-2022-25236 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - 9.8 critical CVE-2022-25313 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H - 6.5 medium CVE-2022-25314 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - 7.5 high CVE-2022-25315 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - 9.8 critical Aruba Threat Labs analyzed and tested these vulnerabilities in the products using the affected component. What has been found is that exploitation of this vulnerability is not straightforward and dependent upon many factors that an attacker may not be able to control. Aruba has chosen to keep the NVD provided severity scores as a reference. The impact on products using the affected component is very low based on ongoing testing. Resolution ========== - AirWave Management Platform - 8.2.14.1 and above - Aruba Analytics and Location Engine - 2.2.0.3 and above Release ETA - late July 2022 - Aruba Fabric Composer (AFC) and Plexxi Composable Fabric Manager (CFM) - 6.2.1 and above - Aruba Central On-Premises -2.5.5.0 and above Release ETA - late July 2022 - Aruba ClearPass Policy Manager - 6.10.5 and above - 6.9.11 and above - 6.8.9 with Hotfix for Q1 2022 Security issues applied - ArubaOS-CX Switches - 10.10.0002 and above - 10.09.1031 and above - 10.08.1070 and above - 10.07.0080 and above - 10.06.0210 and above - ArubaOS Wi-Fi Controllers and Gateways - ArubaOS SD-WAN Gateways - Please note that this only affected controllers and gateways based on the x86 architecture This includes the following models - Aruba 9000 Series Controllers - Aruba 9200 Series Controllers - Aruba Virtual Mobility Controllers - Aruba Virtual and Hardware-based Mobility Conductors -The fixed code versions are as follows - ArubaOS 8.6.x: 8.6.0.19 and above Release ETA - early September 2022 - ArubaOS 8.7.x: 8.7.1.10 and above Release ETA - late July 2022 - ArubaOS 8.10.x: 8.10.0.3 and above Release ETA - late August 2022 - ArubaOS 10.3.x: 10.3.1.1 and above Release ETA - early August 2022 - SDWAN 2.X: 8.7.0.0-2.3.0.8 and above Release ETA - late July 2022 - Aruba EdgeConnect Enterprise - ECOS 9.1.1.4 and above - ECOS 9.0.7.0 and above - ECOS 8.3.7.0 and above - Impact of this vulnerability on ECOS is very low. Fixes will be applied only to the ECOS versions that are listed above due to the minimal risk involved. - Aruba EdgeConnect Enterprise Orchestrator (on-premises) - Orchestrator does not use expat library. However: - Customers using CentOS are suggested to run ‘yum update expat’ from the administrative command line to address this vulnerability; to verify if the patch has been applied, run “rpm -q --changelog expat” and look for the specific CVEs. If the output shows “Resolves”, the patches for the CVE(s) have already been applied. - OR - - Upgrading (from 9.0.6 or later) to any newer Orchestrator version automatically updates expat and resolves this vulnerability. - New virtual machine images already have the fix for this vulnerability. - Customers using Fedora must upgrade to CentOS for support of security updates. Please contact Customer Support for the procedure. - Aruba Virtual Intranet Access (VIA) - Affects macOS/OSX versions only. Others are unaffected - 4.4.0 and above Aruba does not evaluate or patch product versions that have reached their End of Support (EoS) milestone. For more information about Aruba's End of Support policy visit: https://www.arubanetworks.com/support-services/end-of-life/ Workaround ========== To minimize the likelihood of an attacker exploiting these vulnerabilities, Aruba recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above. Exploitation and Public Discussion ================================== These vulnerabilities are being widely discussed in public. Aruba is not aware of any exploitation tools or techniques that specifically target Aruba products. Revision History ================ Revision 1 / 2022-May-17 / Initial release Revision 2 / 2022-Jun-01 / ClearPass Policy Manager information added. EdgeConnect Enterprise Orchestrator Cloud products moved to unaffected. Revision 3 / 2022-Jul-07 / AOS-CX information added. Revision 4 / 2022-Jul-21 / Aruba Location Engine information added. Aruba Central On-Premises information added. Aruba Virtual Intranet Access (VIA) information added. ArubaOS Wi-Fi Controllers and Gateways information added ArubaOS SD-WAN Gateways information added Removed products under investigation section Marked status as confirmed Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products and obtaining assistance with security incidents is available at: https://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: https://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2022 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQFLBAEBCAA1FiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmLVYQoXHHNpcnRAYXJ1 YmFuZXR3b3Jrcy5jb20ACgkQmP4JykWFhtm2DQgAgHKBL6a1gyT8y8oxXsVGqvnm sPz6aJUT1szX6Dw6SMVVAfZ3cv19V7i9wbiJg0+wQBc7w3+5tRAEqHiMn+0FDi3p LirhNMvUk9AK+moQ/zi2MQT0WAbaAerrLH1hja2V3rSSySYXfyTVhcwwHDFnkISJ LmMtQI9lKY8oGZ5q1MnQGGggtA54m3hY6TP7qN1te+/aMOUflobUfeKz0KmvA4Br dkQtN3QEeElms4hSmr4aiO+OQat99TgKzb5lcIdEr/dgHcJFApD3IvRDxvbRK8yZ TviMLDyFRh6yWjE6BsYlLFZSvu1fdMq589c8SujEkovOA14ifDq/MLhLvU58/g== =qp2L -----END PGP SIGNATURE-----