-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

HPE Aruba Networking Product Security Advisory 
=============================== 
Advisory ID: ARUBA-PSA-2023-015 
CVE: CVE-2023-4896 
Publication Date: 2023-Oct-17
Last Update: 2023-Oct-23 
Status: Confirmed 
Severity: Medium 
Revision: 2 
 
 
Title 
===== 
Authenticated Disclosure of Sensitive Information in AirWave Management
Platform


Overview 
======== 
HPE Aruba Networking has released a software patch that resolves a
security vulnerability in the AirWave Management Platform’s web-based
management interface.
 
Affected Products 
================= 
- - - HPE Aruba Networking AirWave Management Platform 
    - 8.3.0.1 and below 
    - 8.2.15.2 and below   

 
Unaffected Products 
=================== 
Any other HPE Aruba Networking products not specifically listed 
above are not affected by this vulnerability. 


Details 
======= 
 
  Authenticated Disclosure of Sensitive Information in AirWave Management
  Platform (CVE-2023-4896)
  --------------------------------------------------------------------- 
    A vulnerability exists which allows an authenticated attacker to      
    access sensitive information on the AirWave Management Platform       
    web-based management interface. Successful exploitation allows the    
    attacker to gain access to some data that could be further exploited  
    to laterally access devices managed and monitored by the AirWave      
    server.                                                               

    Internal References: ATLAW-195 
    Severity: Medium 
    CVSSv3.x Overall Score: 6.8 
    CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

    Discovery: This vulnerability was discovered and reported 
    by 1njected (bugcrowd.com/1njected) via Aruba's bug 
    bounty program. 
 
  
Resolution 
========== 
To resolve the vulnerability described above, it is recommended to      
upgrade the software to the following version:                          

- - - HPE Aruba Networking AirWave Management Platform: 
    - 8.3.0.2 and above(Release ETA - mid November 2023)                                                                

IMPORTANT:
AirWave 8.2.15.2 is the last version based on CentOS 7 operating system.
The End Of Life date for CentOS 7 is set to 30-June-2024.

HPE Aruba Networking recommends upgrading to AirWave 8.3.0.2, a         
RHEL-based AirWave version, to receive continued support for product    
and security updates. Refer to AirWave 8.3.0.2 Release Notes for        
minimum requirements, upgrade paths and detailed upgrade instructions.  

 
Workaround 
========== 
To minimize the likelihood of an attacker exploiting this               
vulnerability, HPE Aruba Networking recommends that the CLI and         
web-based management interfaces be restricted to a dedicated layer 2    
segment/VLAN and/or controlled by firewall policies at layer 3 and      
above.                                                                  
 
 
Exploitation and Public Discussion 
================================== 
HPE Aruba Networking is not aware of any public discussion or 
exploit code that targets this vulnerability as of the publishing  
date of this advisory. 
 
 
Revision History 
================ 
Revision 1 / 2023-Oct-17 / Initial release
Revision 2 / 2023-Oct-23 / Updated Resolution information.
 
 
HPE Aruba Networking SIRT Security Procedures 
============================== 
Complete information on reporting security vulnerabilities in HPE Aruba 
Networking products and obtaining assistance with security incidents is 
available at:                                                           

https://www.arubanetworks.com/support-services/security-bulletins/

For reporting *NEW* HPE Aruba Networking security issues, email can be  
sent to aruba-sirt(at)hpe.com. For sensitive information we encourage   
the use of PGP encryption. Our public keys can be found at:             

https://www.arubanetworks.com/support-services/security-bulletins/

(c) Copyright 2023 by Hewlett Packard Enterprise Development LP. This   
advisory may be redistributed freely after the release date given       
at the top of the text, provided that the redistributed copies are      
complete and unmodified, including all data and version information.    
-----BEGIN PGP SIGNATURE-----

iQFLBAEBCAA1FiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmUywSYXHHNpcnRAYXJ1
YmFuZXR3b3Jrcy5jb20ACgkQmP4JykWFhtnFxwf9EDv7C79bHzydTnDgzjDYy7hv
Xs74RXUsWlcUfSTibeOfl9QswdFC5GxaActiCY0BH0Sj8nFKHtFWkm4p4dlMqTbb
wOqagw/DJVZI8FrkS6dlJR5FJAEu92GrCqIbbt34E/0Ii32ZP1d3AzsGLQiA8dXe
LQWUfgqcUqQK0zXosi0msmEDCGur4ayZ+h5fQ1kXQVuvQXOO8rizY3jZ4ak5D6Gs
0I8lsQ5C8l5z18VGUBae5kvRiIuZ8cFuWAYZkf03IIkBD6QGQ0gYeDmH5807nKoC
UPFJro2pRJHm2yyP9Jhh5JNB1wVb7AOn7ySwceQs2mM/inh+tHThU9A/QOkFJw==
=irbb
-----END PGP SIGNATURE-----