-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2022-019 CVE: CVE-2022-37916, CVE-2022-37917, CVE-2022-37918 Publication Date: 2022-Nov-29 Status: Confirmed Severity: Medium Revision: 1 Title ===== AirWave Management Platform Multiple Vulnerabilities Overview ======== Aruba has released updates to the AirWave Management Platform that address multiple security vulnerabilities. Affected Products ================= -AirWave Management Platform - 8.2.15.0 and below Unaffected Products =================== - Aruba AirWave Management Platform - 8.2.15.1 and above Details ======= Broken Access Control for some Web-based Management URLs in AirWave Management Platform (CVE-2022-37916, CVE-2022-37917, CVE-2022-37918) --------------------------------------------------------------------- Vulnerabilities in the AirWave Management Platform web-based management interface exist which expose some URLs to a lack of proper access controls. These vulnerabilities could allow a remote attacker with limited privileges to gain access to sensitive information and/or change network configurations with privileges at a higher effective level. Internal References: ATLAW-186, ATLAW-187, ATLAW-188, ATLAW-189 Severity: Medium CVSSv3.x Overall Score: 6.4 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N Discovery: These vulnerabilities were discovered and reported by Colton Bachman of Aruba Threat Labs and Oussama Sadouki. Resolution ========== To resolve the vulnerabilities described above it is recommended to upgrade the software to the following versions: - AirWave Management Platform: - 8.2.15.1 and above Workaround ========== To minimize the likelihood of an attacker exploiting these vulnerabilities, Aruba recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above. There are no vulnerability specific workarounds in this advisory. Please contact Aruba TAC for any configuration assistance. Exploitation and Public Discussion ================================== Aruba is not aware of any public discussion or exploit code that target these specific vulnerabilities as of the publication of this advisory. Revision History ================ Revision 1 / 2022-Nov-29 / Initial release Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products and obtaining assistance with security incidents is available at: https://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: https://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2022 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQFLBAEBCAA1FiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmNgCQ0XHHNpcnRAYXJ1 YmFuZXR3b3Jrcy5jb20ACgkQmP4JykWFhtm+vwgAgbDSPZ4e8R7sfnA9h1XXmDbb ifO9TQ+ZYCuI6A+2NmslsrJ2XMk6i6BxR9K19s/LzMNaiAkt3EhFRBiSzY1m5qbV m37PCdwWYDWHMeJwkpOE1+IuHUQPuT00mmplyTHk+fQtDB/qazir+oSOa7Vt1fuP GmyiWC9Vs4QZBFg5qJ9WkGEsjKols8NbZIDRRwdS1jUmw7oSwE+lqdckWe5fPnnK mobvgr3zcMSzi9B38dkLtpXRM0ZhrDZlLwg20/S6m92N+0XXzGaxcs70gIHMTS4B O6lWLSH3jMLF0Jn7GUY88kJYTH/r6ottv4BqpfZE09Af77lkKhjEindH5jL/2A== =tMj+ -----END PGP SIGNATURE-----