-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Aruba Product Security Advisory
===============================
Advisory ID: ARUBA-PSA-2022-009
CVE: CVE-2022-0778
Publication Date: 2022-May-04
Last Update: 2022-Jul-21
Status: Confirmed
Severity: High
Revision: 3
Title
=====
Faulty OpenSSL Handling of Certificates Containing Elliptic Curve
Public Keys Leading to Denial of Service
Overview
========
A CVE has been disclosed that involves the faulty handling of
certain certificates by OpenSSL. This CVE impacts multiple Aruba
products.
Details can be found at:
https://nvd.nist.gov/vuln/detail/CVE-2022-0778Affected Products
=================
- AirWave Management Platform
- 8.2.14.0 and below
- Aruba Analytics and Location Engine
- 2.2.0.2 and below
- Aruba Fabric Composer (AFC) and Plexxi Composable Fabric Manager (CFM)
- 6.2.0 and below
- Aruba Central On-Premises
- 2.5.4.x and below
- Aruba ClearPass Policy Manager
- 6.10.4 and below
- 6.9.10 and below
- 6.8.9 without Hotfix for Q1 2022 Security issues
- ArubaOS-CX Switches
- 10.09.1010 and below
- 10.08.1050 and below
- 10.07.0070 and below
- 10.06.0190 and below
- ArubaOS Wi-Fi Controllers and Gateways
- ArubaOS SD-WAN Gateways
- ArubaOS 6.5.x: 6.5.4.23 and below
- ArubaOS 8.6.x: 8.6.0.18 and below
- ArubaOS 8.7.x: 8.7.1.9 and below
- ArubaOS 8.10.x: 8.10.0.1 and below
- ArubaOS 10.3.x: 10.3.1.0 and below
- SDWAN 2.X: 8.7.0.0-2.3.0.7 and below
- Aruba IntroSpect
- All versions
- Aruba will not be issuing patches for this issue.
Please see the workaround section below for suggested workarounds.
- Aruba InstantOS / Aruba Access Points running ArubaOS 10
- Aruba InstantOS 8.6.x: 8.6.0.18 and below
- Aruba InstantOS 8.7.x: 8.7.1.9 and below
- Aruba InstantOS 8.10.x: 8.10.0.1 and below
- ArubaOS 10.3.x: 10.3.1.0 and below
- Please note that 6.x is not affected
- Aruba Instant On switches
- models 1830, 1930 and 1960 with locally managed firmware
- 2.5.0.x and below
- Aruba NetEdit
- 2.3.0 and below
- Aruba EdgeConnect Enterprise
- ECOS 9.1.1.3 and below
- ECOS 9.0.6.0 and below
- ECOS 8.3.6.0 and below
- Impact of this vulnerability on ECOS is very low.
- Aruba EdgeConnect Enterprise Orchestrator (on prem)
- See resolution section for details
Unaffected Products
===================
- ArubaOS-S Switches
- Aruba User Experience Insight (UXI)
- Aruba VIA Client
- Aruba EdgeConnect Enterprise Orchestrator-as-a-Service
- Aruba EdgeConnect Enterprise Orchestrator-SP
- Aruba EdgeConnect Enterprise Orchestrator Global Enterprise
Other Aruba products not listed above are also not known to be
affected by the vulnerability.
Details
=======
A vulnerability has been identified in a commonly used
component in multiple Aruba products. This vulnerability allows
attackers to use specially crafted certificates resulting in
denial of service.
Details can be found at:
https://nvd.nist.gov/vuln/detail/CVE-2022-0778Internal references: ATLCP-184, ATLAW-182, ATLWL-281,
ATLWL-282, ATLWL-283, ATLWL-284,
ATLWL-285, ATLWL-286, ATLWL-287,
ATLWL-288, ATLWL-289, ATLAX-56,
ATLAX-57, ATLAX-58, ATLWL-290,
ATLWL-291, ATLWL-310
Severity: High
CVSSv3.1 Overall Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Aruba Threat Labs analyzed and tested this vulnerability in the
products using the affected component. What has been found is
that exploitation of this vulnerability is not straightforward
and dependent upon many factors that an attacker may not be
able to control.
Aruba has chosen to keep the NVD provided severity score as a
reference. The impact on products using the affected
component is very low based on ongoing testing.
Resolution
==========
- AirWave Management Platform
- 8.2.14.1 and above
- Aruba Analytics and Location Engine
- 2.2.0.3 and above
Release ETA - late July 2022
- Aruba Fabric Composer (AFC) and Plexxi Composable Fabric Manager (CFM)
- 6.2.1 and above
- Aruba Central On-Premises
- 2.5.5.0 and above
Release ETA - late July 2022
- Aruba ClearPass Policy Manager
- 6.10.5 and above
- 6.9.11 and above
- 6.8.9 with Hotfix for Q1 2022 Security issues applied
- ArubaOS-CX Switches
- 10.09.1020 and above
- 10.08.1060 and above
- 10.07.0080 and above
- 10.06.0200 and above
- ArubaOS Wi-Fi Controllers and Gateways
- ArubaOS SD-WAN Gateways
- ArubaOS 6.5.x: 6.5.4.24 and above
Release ETA - late August 2022
- ArubaOS 8.6.x: 8.6.0.19 and above
Release ETA - early September 2022
- ArubaOS 8.7.x: 8.7.1.10 and above
Release ETA - late July 2022
- ArubaOS 8.10.x: 8.10.0.2 and above
- ArubaOS 10.3.x: 10.3.1.1 and above
Release ETA - early August 2022
- SDWAN 2.3: 8.7.0.0-2.3.0.8 and above
Release ETA - late July 2022
- Aruba InstantOS / Aruba Access Points running ArubaOS 10
- Aruba InstantOS 8.6.x: 8.6.0.19 and above
Release ETA - early September 2022
- Aruba InstantOS 8.7.x: 8.7.1.10 and above
Release ETA - late July 2022
- Aruba InstantOS 8.10.x: 8.10.0.2 and above
- ArubaOS 10.3.x: 10.3.1.1 and above
Release ETA - early August 2022
- Aruba Instant On switches
- models 1830, 1930 and 1960 with locally managed firmware
- 2.6.0 and above
- firmware may be found at
https://community.arubainstanton.com/support/documentation/support-documentation-list?CommunityKey=26af222f-d9da-43cb-a665-cba6c273756c- Aruba NetEdit
- 2.4.0 and above
- Aruba EdgeConnect Enterprise
- ECOS 9.1.1.4 and above
- ECOS 9.0.7.0 and above
- ECOS 8.3.7.0 and above
- Impact of this vulnerability on ECOS is very low.
Fixes will be applied only to the ECOS versions
that are listed above due to the minimal risk involved.
- Aruba EdgeConnect Enterprise Orchestrator (on prem)
- Customers are suggested to run ‘yum update openssl’
from the administrative command line to address this
vulnerability; to verify if the patch has been applied,
run “rpm -q --info openssl”. If the output says
“25.el7_9” as part of the version, the patch is applied.
- OR -
- Upgrading (from 9.0.6 or later) to any newer Orchestrator
version automatically updates expat and resolves this
vulnerability.
- New virtual machine images already have the fix for this
vulnerability.
- Customers using Fedora must upgrade to CentOS for support
of security updates. Please contact Customer Support for
the procedure
Aruba does not evaluate or patch product versions that have
reached their End of Support (EoS) milestone. For more
information about Aruba's End of Support policy visit:
https://www.arubanetworks.com/support-services/end-of-life/Workaround
==========
To minimize the likelihood of an attacker exploiting this
vulnerability, Aruba recommends that the CLI and web-based
management interfaces be restricted to a dedicated layer 2
segment/VLAN and/or controlled by firewall policies at layer 3
and above
Exploitation and Public Discussion
==================================
These vulnerabilities are being widely discussed in public.
Aruba is not aware of any exploitation tools or techniques that
specifically target Aruba products.
Revision History
================
Revision 1 / 2022-May-04 / Initial release
Revision 2 / 2022-Jun-01 / AOS-S investigation completed
and marked as unaffected. AOS-CX
information added. Aruba UXI
investigation completed and marked
as unaffected. EdgeConnect and
Orchestrator information added.
NetEdit information added. ClearPass
Policy Manager information added. End
of Support information added.
Revision 3 / 2022-Jul-21 / Aruba Location Engine information added.
Aruba InstantOn information added.
Aruba Central On-Premises information added.
Aruba Introspect information added.
Aruba InstantOS and InstantOS AP
information added
ArubaOS Wi-Fi Controllers and Gateways
information added
ArubaOS SD-WAN Gateways information added
Removed products under investigation section
Marked status as confirmed
Aruba SIRT Security Procedures
==============================
Complete information on reporting security vulnerabilities in
Aruba Networks products and obtaining assistance with security
incidents is available at:
https://www.arubanetworks.com/support-services/security-bulletins/For reporting *NEW* Aruba Networks security issues, email can
be sent to aruba-sirt(at)hpe.com. For sensitive information we
encourage the use of PGP encryption. Our public keys can be found
at:
https://www.arubanetworks.com/support-services/security-bulletins/(c) Copyright 2022 by Aruba, a Hewlett Packard Enterprise
company. This advisory may be redistributed freely after the
release date given at the top of the text, provided that the
redistributed copies are complete and unmodified, including all
data and version information.
-----BEGIN PGP SIGNATURE-----
iQFLBAEBCAA1FiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmLVYP8XHHNpcnRAYXJ1
YmFuZXR3b3Jrcy5jb20ACgkQmP4JykWFhtkAhAf9G56YHe8WcQ8fXjvUnLUS9kUO
IqSigVjok2vs+FfWLg0QQ73gyv9oKYEuUFkATgw8SHVWhJJkGlXlDVJc0H0cvcqX
DkIUAX300wBzKgT4Wz1EFXTBB5RNt1oBEdih4eTZFgjlntY6KTE+NGOgX5aSuGPa
vycxOd9T7peCQK1f5kP3ZpUvgnC5WmSsu2N+GUuKI0Wmc7Ow/enBcZMysn/RZrWO
nw3N3uS/Ry08MzozUTfKKh9ONWLl6SLdN2kUL9x7ThKAOB/bd2f8jHn7niHApfEL
iXwXxkWOVVnKrYgDvG73OeK9WpQw7cL4q7NJv1kSLbCHsIadesYD8wozo32qBA==
=iynw
-----END PGP SIGNATURE-----
------------------------------
Aruba Instant On Communications
------------------------------