-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Aruba Product Security Advisory
===============================
Advisory ID: ARUBA-PSA-2022-015
CVE: CVE-2022-37913, CVE-2022-37914, CVE-2022-37915
Publication Date: 2022-Oct-11
Status: Confirmed
Severity: Critical
Revision: 1


Title
=====
Multiple Vulnerabilities in Aruba EdgeConnect Enterprise
Orchestrator


Overview
========
Aruba has released patches for Aruba EdgeConnect Enterprise
Orchestrator that address multiple security vulnerabilities.


Affected Products
=================
  - Aruba EdgeConnect Enterprise Orchestrator (on-premises)
  - Aruba EdgeConnect Enterprise Orchestrator-as-a-Service
  - Aruba EdgeConnect Enterprise Orchestrator-SP and
    Aruba EdgeConnect Enterprise Orchestrator Global
    Enterprise Tenant Orchestrators
    - Orchestrator 9.1.2.40051 and below
    - Orchestrator 9.0.7.40108 and below
    - Orchestrator 8.10.23.40009 and below
    - Any older branches of Orchestrator not specifically mentioned

Versions of Aruba EdgeConnect Enterprise Orchestrator that
are end of life are affected by these vulnerabilities unless
otherwise indicated.


Details
=======

  Authentication Bypass Leading to System Takeover in Aruba
  EdgeConnect Enterprise Orchestrator Web-Based Management
  Interface
  (CVE-2022-37913, CVE-2022-37914)
  ---------------------------------------------------------------------
    Vulnerabilities in the web-based management interface of
    Aruba EdgeConnect Enterprise Orchestrator could allow an
    unauthenticated remote attacker to bypass authentication.
    Successful exploitation of these vulnerabilities could allow
    an attacker to gain administrative privileges leading to
    complete compromise of the Aruba EdgeConnect Enterprise
    Orchestrator host.

    Internal References: ATLSP-12, ATLSP-25
    Severity: Critical
    CVSSv3.x Overall Score: 9.8
    CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    Discovery: These vulnerabilities were discovered and
    reported by Daniel Jensen (@dozernz) via Aruba's Bug Bounty
    Program.


  Unauthenticated Remote Code Execution in Aruba EdgeConnect
  Enterprise Orchestrator Web-Based Management Interface
  (CVE-2022-37915)
  ---------------------------------------------------------------------
    A vulnerability in the web-based management interface of
    Aruba EdgeConnect Enterprise Orchestrator could allow an
    unauthenticated remote attacker to run arbitrary commands
    on the underlying host. Successful exploitation of this
    vulnerability could allow an attacker to execute arbitrary
    commands on the underlying operating system leading to
    complete system compromise.

    Internal References: ATLWL-313
    Severity: Critical
    CVSSv3.x Overall Score: 9.8
    CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    Discovery: This vulnerability was discovered and reported by
    Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program

    Affected: This vulnerability only affected the versions listed
      - Aruba EdgeConnect Enterprise Orchestrator (on-premises)
        - 9.1.x branch only
        - Any 9.1.x Orchestrator instantiated as a new
          machine with a release prior to 9.1.3.40197
        - Orchestrators upgraded to 9.1.x were not affected.

    Resolution: If you have a version of Aruba EdgeConnect
    Enterprise Orchestrator (on-premises) that you believe is
    affected from the above criteria, please reach out to TAC
    for resolution assistance.


Resolution
==========
Upgrade Aruba EdgeConnect Enterprise Orchestrator to one of the
following versions with the fixes to resolve all issues noted in
the details section.

  - Aruba EdgeConnect Enterprise Orchestrator (on-premises)
    - Orchestrator 9.2.0.40405 and above
    - Orchestrator 9.1.3.40197 and above
    - Orchestrator 9.0.7.40110 and above
    - Orchestrator 8.10.23.40015 and above

  - Aruba EdgeConnect Enterprise Orchestrator-as-a-Service
    - TAC will automatically create a support case for Aruba
      (Silver Peak) hosted Orchestrators to be upgraded.

  - Aruba EdgeConnect Enterprise Orchestrator-SP and Aruba
    EdgeConnect Enterprise Orchestrator Global Enterprise Tenant
    Orchestrators
    - Service providers must upgrade all tenants to a patched
      version listed above

Aruba does not evaluate or patch product versions that have
reached their End of Support (EoS) milestone.

Supported versions as of the publication date of this advisory
are:
  - Aruba EdgeConnect Enterprise Orchestrator 9.2.x
  - Aruba EdgeConnect Enterprise Orchestrator 9.1.x
  - Aruba EdgeConnect Enterprise Orchestrator 9.0.x
  - Aruba EdgeConnect Enterprise Orchestrator 8.10.x

For more information about Aruba's End of Support policy visit:
https://www.arubanetworks.com/support-services/end-of-life/


Workaround
==========
To minimize the likelihood of an attacker exploiting these
vulnerabilities, Aruba recommends that the CLI and web-based
management interfaces be restricted to a dedicated layer 2
segment/VLAN and/or controlled by firewall policies at layer 3
and above.


Exploitation and Public Discussion
==================================
Aruba is not aware of any public discussion or exploit code that
target these specific vulnerabilities as of the release date of
the advisory.


Revision History
================
Revision 1 / 2022-Oct-11 / Initial release


Aruba SIRT Security Procedures
==============================
Complete information on reporting security vulnerabilities in
Aruba Networks products and obtaining assistance with security
incidents is available at:

https://www.arubanetworks.com/support-services/security-bulletins/

For reporting *NEW* Aruba Networks security issues, email can
be sent to aruba-sirt(at)hpe.com. For sensitive information we
encourage the use of PGP encryption. Our public keys can be
found at:

https://www.arubanetworks.com/support-services/security-bulletins/

(c) Copyright 2022 by Aruba, a Hewlett Packard Enterprise
company. This advisory may be redistributed freely after the
release date given at the top of the text, provided that the
redistributed copies are complete and unmodified, including all
data and version information.
-----BEGIN PGP SIGNATURE-----

iQFLBAEBCAA1FiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmM9iKkXHHNpcnRAYXJ1
YmFuZXR3b3Jrcy5jb20ACgkQmP4JykWFhtk6hgf+Pog4Ikx66VHFIjT7owVLkbJ8
HK65RReWCqE8ruyeIeySQa4nZJ+nJZRaHagnunkRNeteC67ETo77Go8NetZ+XKnU
SJ5AUF60+M8Yog4OOloNG8/ki0Eh/HZT6Stge+j/dJ1d+3QL78SPrFpUBEUWNOTM
hTgwrkP+IZZJCJYHz+dy2bBNF5wwyzRau5xokoxAHzuJt4No01fTWQT3NWipPoBJ
eNZKwDLMJBQCQGONY2yWCIs1QZZUQ3z7Ag7JbiJcRApSI91rxKbcCau5+14VmOZd
PwUnVt85ijaQCxFO6yJXUgwrjYF/XjpP4IdcoKOCxOYquNVZzYgDFL+Iz9FWcQ==
=HYd8
-----END PGP SIGNATURE-----