Everything Instant On

 View Only

Multiple Vulnerabilities in Expat XML processing library

  • 1.  Multiple Vulnerabilities in Expat XML processing library

    Posted 07-21-2022 03:30 PM
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256

    Aruba Product Security Advisory
    ===============================
    Advisory ID: ARUBA-PSA-2022-010
    CVE: CVE-2022-25235, CVE-2022-25236, CVE-2022-25313,
    CVE-2022-25314, CVE-2022-25315
    Publication Date: 2022-May-17
    Last Update: 2022-Jul-21
    Status: Confirmed
    Severity: Critical
    Revision: 4


    Title
    =====
    Multiple Vulnerabilities in Expat XML processing library


    Overview
    ========
    Multiple CVEs have been disclosed that involve the faulty
    handling of XML input by the Expat application and library. These
    CVEs impact multiple Aruba products.

    Details can be found at:
    https://nvd.nist.gov/vuln/detail/CVE-2022-25235
    https://nvd.nist.gov/vuln/detail/CVE-2022-25236
    https://nvd.nist.gov/vuln/detail/CVE-2022-25313
    https://nvd.nist.gov/vuln/detail/CVE-2022-25314
    https://nvd.nist.gov/vuln/detail/CVE-2022-25315


    Affected Products
    =================
    - AirWave Management Platform
    - 8.2.14.0 and below

    - Aruba Analytics and Location Engine
    - 2.2.0.2 and below

    - Aruba Fabric Composer (AFC) and Plexxi Composable Fabric Manager (CFM)
    - 6.2.0 and below

    - Aruba Central On-Premises
    -2.5.4.x and below

    - Aruba ClearPass Policy Manager
    - 6.10.4 and below
    - 6.9.10 and below
    - 6.8.9 without Hotfix for Q1 2022 Security issues

    - ArubaOS-CX Switches
    - 10.09.1030 and below
    - 10.08.1060 and below
    - 10.07.0070 and below
    - 10.06.0200 and below

    - ArubaOS Wi-Fi Controllers and Gateways
    - ArubaOS SD-WAN Gateways
    - Please note that this only affected controllers and
    gateways based on the x86 architecture
    This includes the following models
    - Aruba 9000 Series Controllers
    - Aruba 9200 Series Controllers
    - Aruba Virtual Mobility Controllers
    - Aruba Virtual and Hardware-based Mobility Conductors
    -The affected code versions are as follows
    - ArubaOS 8.6.x: 8.6.0.18 and below
    - ArubaOS 8.7.x: 8.7.1.9 and below
    - ArubaOS 8.10.x: 8.10.0.2 and below
    - ArubaOS 10.3.x: 10.3.1.0 and below
    - SDWAN 2.X: 8.7.0.0-2.3.0.7 and below

    - Aruba EdgeConnect Enterprise
    - ECOS 9.1.1.3 and below
    - ECOS 9.0.6.0 and below
    - ECOS 8.3.6.0 and below
    - Impact of this vulnerability on ECOS is very low.

    - Aruba EdgeConnect Enterprise Orchestrator (on-premises)
    - See resolution section for details

    - Aruba Virtual Intranet Access (VIA)
    - Affects macOS/OSX versions only. Others are unaffected
    - 4.3.0 and below


    Unaffected Products
    ===================
    - Aruba Instant / Aruba Instant Access Points
    - Aruba Instant On
    - Aruba IntroSpect
    - Aruba NetEdit
    - Aruba User Experience Insight (UXI)
    - ArubaOS-S Switches
    - Aruba EdgeConnect Enterprise Orchestrator-as-a-Service
    - Aruba EdgeConnect Enterprise Orchestrator-SP
    - Aruba EdgeConnect Enterprise Orchestrator Global Enterprise

    Other Aruba products not listed above are also not known to be
    affected by these vulnerabilities.


    Details
    =======
    Vulnerabilities have been identified in a commonly used
    component in multiple Aruba products. These vulnerabilities
    allow attackers to use specially crafted XML input to
    potentially cause denial of service conditions or remote code
    execution.

    Details can be found at:
    https://nvd.nist.gov/vuln/detail/CVE-2022-25235
    https://nvd.nist.gov/vuln/detail/CVE-2022-25236
    https://nvd.nist.gov/vuln/detail/CVE-2022-25313
    https://nvd.nist.gov/vuln/detail/CVE-2022-25314
    https://nvd.nist.gov/vuln/detail/CVE-2022-25315

    Internal references: ATLCP-191, ATLAX-60, ATLWL-293,
    ATLWL-183, ATLWL-292, ATLWL-192,
    ATLSP-1

    CVSS Vectors and Scores provided by NVD as follows:
    CVE-2022-25235 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - 9.8 critical
    CVE-2022-25236 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - 9.8 critical
    CVE-2022-25313 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H - 6.5 medium
    CVE-2022-25314 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - 7.5 high
    CVE-2022-25315 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - 9.8 critical

    Aruba Threat Labs analyzed and tested these vulnerabilities
    in the products using the affected component. What has been
    found is that exploitation of this vulnerability is not
    straightforward and dependent upon many factors that an
    attacker may not be able to control.

    Aruba has chosen to keep the NVD provided severity scores as a
    reference. The impact on products using the affected component
    is very low based on ongoing testing.


    Resolution
    ==========
    - AirWave Management Platform
    - 8.2.14.1 and above

    - Aruba Analytics and Location Engine
    - 2.2.0.3 and above
    Release ETA - late July 2022

    - Aruba Fabric Composer (AFC) and Plexxi Composable Fabric Manager (CFM)
    - 6.2.1 and above

    - Aruba Central On-Premises
    -2.5.5.0 and above
    Release ETA - late July 2022

    - Aruba ClearPass Policy Manager
    - 6.10.5 and above
    - 6.9.11 and above
    - 6.8.9 with Hotfix for Q1 2022 Security issues applied

    - ArubaOS-CX Switches
    - 10.10.0002 and above
    - 10.09.1031 and above
    - 10.08.1070 and above
    - 10.07.0080 and above
    - 10.06.0210 and above

    - ArubaOS Wi-Fi Controllers and Gateways
    - ArubaOS SD-WAN Gateways
    - Please note that this only affected controllers and
    gateways based on the x86 architecture
    This includes the following models
    - Aruba 9000 Series Controllers
    - Aruba 9200 Series Controllers
    - Aruba Virtual Mobility Controllers
    - Aruba Virtual and Hardware-based Mobility Conductors
    -The fixed code versions are as follows
    - ArubaOS 8.6.x: 8.6.0.19 and above
    Release ETA - early September 2022
    - ArubaOS 8.7.x: 8.7.1.10 and above
    Release ETA - late July 2022
    - ArubaOS 8.10.x: 8.10.0.3 and above
    Release ETA - late August 2022
    - ArubaOS 10.3.x: 10.3.1.1 and above
    Release ETA - early August 2022
    - SDWAN 2.X: 8.7.0.0-2.3.0.8 and above
    Release ETA - late July 2022

    - Aruba EdgeConnect Enterprise
    - ECOS 9.1.1.4 and above
    - ECOS 9.0.7.0 and above
    - ECOS 8.3.7.0 and above
    - Impact of this vulnerability on ECOS is very low.
    Fixes will be applied only to the ECOS versions
    that are listed above due to the minimal risk involved.

    - Aruba EdgeConnect Enterprise Orchestrator (on-premises)
    - Orchestrator does not use expat library. However:
    - Customers using CentOS are suggested to run ‘yum
    update expat’ from the administrative command line to
    address this vulnerability; to verify if the patch has been
    applied, run “rpm -q --changelog expat” and look for
    the specific CVEs. If the output shows “Resolves”, the
    patches for the CVE(s) have already been applied.
    - OR -
    - Upgrading (from 9.0.6 or later) to any newer Orchestrator
    version automatically updates expat and resolves this
    vulnerability.
    - New virtual machine images already have the fix for this
    vulnerability.
    - Customers using Fedora must upgrade to CentOS for support
    of security updates. Please contact Customer Support for
    the procedure.

    - Aruba Virtual Intranet Access (VIA)
    - Affects macOS/OSX versions only. Others are unaffected
    - 4.4.0 and above


    Aruba does not evaluate or patch product versions that have
    reached their End of Support (EoS) milestone. For more
    information about Aruba's End of Support policy visit:
    https://www.arubanetworks.com/support-services/end-of-life/


    Workaround
    ==========
    To minimize the likelihood of an attacker exploiting these
    vulnerabilities, Aruba recommends that the CLI and web-based
    management interfaces be restricted to a dedicated layer 2
    segment/VLAN and/or controlled by firewall policies at layer 3
    and above.


    Exploitation and Public Discussion
    ==================================
    These vulnerabilities are being widely discussed in public.
    Aruba is not aware of any exploitation tools or techniques that
    specifically target Aruba products.


    Revision History
    ================
    Revision 1 / 2022-May-17 / Initial release
    Revision 2 / 2022-Jun-01 / ClearPass Policy Manager information
    added. EdgeConnect Enterprise
    Orchestrator Cloud products moved to
    unaffected.
    Revision 3 / 2022-Jul-07 / AOS-CX information added.
    Revision 4 / 2022-Jul-21 / Aruba Location Engine information added.
    Aruba Central On-Premises information
    added.
    Aruba Virtual Intranet Access (VIA)
    information added.
    ArubaOS Wi-Fi Controllers and Gateways
    information added
    ArubaOS SD-WAN Gateways information added
    Removed products under investigation section
    Marked status as confirmed


    Aruba SIRT Security Procedures
    ==============================
    Complete information on reporting security vulnerabilities in
    Aruba Networks products and obtaining assistance with security
    incidents is available at:

    https://www.arubanetworks.com/support-services/security-bulletins/


    For reporting *NEW* Aruba Networks security issues, email can
    be sent to aruba-sirt(at)hpe.com. For sensitive information we
    encourage the use of PGP encryption. Our public keys can be
    found at:

    https://www.arubanetworks.com/support-services/security-bulletins/


    (c) Copyright 2022 by Aruba, a Hewlett Packard Enterprise
    company. This advisory may be redistributed freely after the
    release date given at the top of the text, provided that the
    redistributed copies are complete and unmodified, including all
    data and version information.
    -----BEGIN PGP SIGNATURE-----

    iQFLBAEBCAA1FiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmLVYQoXHHNpcnRAYXJ1
    YmFuZXR3b3Jrcy5jb20ACgkQmP4JykWFhtm2DQgAgHKBL6a1gyT8y8oxXsVGqvnm
    sPz6aJUT1szX6Dw6SMVVAfZ3cv19V7i9wbiJg0+wQBc7w3+5tRAEqHiMn+0FDi3p
    LirhNMvUk9AK+moQ/zi2MQT0WAbaAerrLH1hja2V3rSSySYXfyTVhcwwHDFnkISJ
    LmMtQI9lKY8oGZ5q1MnQGGggtA54m3hY6TP7qN1te+/aMOUflobUfeKz0KmvA4Br
    dkQtN3QEeElms4hSmr4aiO+OQat99TgKzb5lcIdEr/dgHcJFApD3IvRDxvbRK8yZ
    TviMLDyFRh6yWjE6BsYlLFZSvu1fdMq589c8SujEkovOA14ifDq/MLhLvU58/g==
    =qp2L
    -----END PGP SIGNATURE-----

    ------------------------------
    Aruba Instant On Communications
    ------------------------------