-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2022-017 CVEs: CVE-2022-3602, CVE-2022-3786 Publication Date: 2022-Nov-01 Status: Confirmed Severity: High Revision: 1 Title ===== OpenSSL X.509 Email Address Buffer Overflow Overview ======== CVE-2022-3602 and CVE-2022-3786 have been published about buffer overflow vulnerabilities discovered in OpenSSL 3.0.0 through 3.0.6. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue. Details can be found at: https://www.openssl.org/news/secadv/20221101.txt Affected Products ================= - None Unaffected Products =================== - AirWave Management Platform - Aruba Analytics and Location Engine - Aruba Central / Central On-Premises - Aruba ClearPass Policy Manager - Aruba Instant / Aruba Instant Access Points - Aruba Instant On - Aruba IntroSpect - Aruba Fabric Composer (AFC) and Plexxi Composable Fabric Manager (CFM) - Aruba NetEdit - Aruba User Experience Insight (UXI) - ArubaOS Wi-Fi Controllers and Gateways - ArubaOS SD-WAN Gateways - ArubaOS-CX Switches - ArubaOS-S Switches - HP ProCurve Switches - Aruba VIA Client - Aruba EdgeConnect Enterprise Orchestrator (on-premises) - Aruba EdgeConnect Enterprise Orchestrator-as-a-Service - Aruba EdgeConnect Enterprise Orchestrator-SP - Aruba EdgeConnect Enterprise (ECOS) Other Aruba products not listed above are also not known to be affected by these vulnerabilities. Details ======= No Aruba products have been found to be impacted by the vulnerabilities listed above. Aruba does not usually issue advisories where no action is required but due to the public discussion generated by the OpenSSL vulnerabilities an exception has been made. Resolution ========== No action is required. Workaround and Mitigations ========================== No action is required. Exploitation and Public Discussion ================================== More information about CVE-2022-3602 and CVE-2022-3786 can be found at: https://www.openssl.org/news/secadv/20221101.txt Discovery ========= Please see the following link for more details: https://www.openssl.org/news/secadv/20221101.txt Revision History ================ Revision 1 / 2022-Nov-01/ Initial release Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at: http://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: http://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2022 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQFLBAEBCAA1FiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmNhSTEXHHNpcnRAYXJ1 YmFuZXR3b3Jrcy5jb20ACgkQmP4JykWFhtlqgAf9EaKk24GiOpgLy/hrUzhBWC6P dGUUfVyuzkwrvkA7gLaMt5L7HGU2G35pEAQkvhvldSNY1C7If/pIJ0pYpArT+7Rn ltNHGOkg/3m7HI6IhIEFuzjjP7mWiqZrCxOkmMRAiCjyPHF4CwfjpcTvw+tPLw1l YeoVDmKWKM/pzwj+Xxok//GrdJqVpKU1f9KszrMTFn/33sPNaiIvNzqP1zEW0KJb 8jvW2SccOc3z/N0XL5vVGsD3iJXV1/0nG7U2+CfmD+K+/5/GBuVToO3S/XR/6HzS 4vlW12E8YNfeKmaqmP/gUJA9ZeF+mh87FlTqXlsfvPi0YfE8UnQRDSQmMe7bJA== =1hCq -----END PGP SIGNATURE-----