-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2022-011 CVE: CVE-2022-23678 Publication Date: 2022-Jul-26 Last Update: 2022-Aug-19 Status: Confirmed Severity: Medium Revision: 2 Title ===== Vulnerability in Aruba Virtual Intranet Access (VIA) Overview ======== Aruba has released an update to Aruba Virtual Intranet Access (VIA) that addresses a security vulnerability in the Aruba VIA client for the Microsoft Windows operating system. This vulnerability does not affect Aruba VIA clients for other operating systems. Affected Products ================= This vulnerability affects Aruba Virtual Intranet Access (VIA) running the following versions unless specifically noted otherwise in the details section: - Aruba Virtual Intranet Access (VIA) for Windows: - All versions lower than VIA 4.3.0 build 2208101 Updating Aruba Virtual Intranet Access (VIA) to a version listed in the Resolution section at the end of this advisory will resolve all issues in the details section. Details ======= Sensitive Information Disclosure in Aruba VIA Client for Microsoft Windows Operating System via Privileged Network Position (CVE-2022-23678) --------------------------------------------------------------------- A vulnerability exists in the Aruba VIA client for Microsoft Windows operating system client communications that could allow for an attacker in a privileged network position to intercept sensitive information. Internal Reference: ATLCP-200 Severity: Medium CVSSv3.x Overall Score: 6.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N Discovery: This vulnerability was discovered and reported by Mr. Ka-Lok Wu, Mr. Ngai-Man Poon, and Prof. Sze-Yiu Chau of the Department of Information Engineering, Chinese University of Hong Kong. Resolution ========== The vulnerability contained in this advisory can be addressed by upgrading to the Aruba Virtual Intranet Access (VIA) version listed below - Aruba Virtual Intranet Access (VIA) for Windows: - Version 4.3.0 build 2208101 released August 15th, 2022 and above - Version 4.4.0 and above Aruba does not evaluate or patch Aruba Virtual Intranet Access (VIA) versions that have reached their End of Support (EoS) milestone. For more information about Aruba's End of Support policy visit: https://www.arubanetworks.com/support-services/end-of-life/ Workaround ========== There is no workaround for this vulnerability. Exploitation and Public Discussion ================================== Aruba is not aware of any public discussion or exploit code that targets this specific vulnerability as of the release date of the advisory. Revision History ================ Revision 1 / 2022-Jul-26 / Initial release Revision 2 / 2022-Aug-19 / Added resolution information 4.3.0 build 2208101 released August 15th 2022 and rewrote resolution and affected sections Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products and obtaining assistance with security incidents is available at: https://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: https://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2022 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQFLBAEBCAA1FiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmL89lkXHHNpcnRAYXJ1 YmFuZXR3b3Jrcy5jb20ACgkQmP4JykWFhtm16wf9HXVeFqDT5tpcPFQYqeIAC2dQ 2V+zx2n+c4CMesYaNDuEffaiVX0ds0jXEGGEYQaVMS3zHJTUj+1rIJ+2Z0d4gdd7 NT4SktkNiVKaJ5l3HqLM0mYDIbH5yGGGuekVbQxscam605acb9b6ihPIHFpHAmL/ kGEK2y2b3gjYELDJm4L+6jIDz+fVARVkYn6leZs0HodE4ZP2aCCUmciQdRw8z3A/ e5ZED5SOGo7N/xcFHLYRyhxs8ELAKynEJYqxAMcPPrgJ/5xyxEOQRmfnB7AKXmeo szIJ1vxDXvppPTyBkBOJfZ/YEhHaE2QfSSQo6J+f5d/pJ3/iEuG1Ua/EDGU0PA== =cPqX -----END PGP SIGNATURE-----