-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Aruba Product Security Advisory
===============================
Advisory ID: ARUBA-PSA-2022-010
CVE: CVE-2022-25235, CVE-2022-25236, CVE-2022-25313,
CVE-2022-25314, CVE-2022-25315
Publication Date: 2022-May-17
Last Update: 2022-Jul-21
Status: Confirmed
Severity: Critical
Revision: 4
Title
=====
Multiple Vulnerabilities in Expat XML processing library
Overview
========
Multiple CVEs have been disclosed that involve the faulty
handling of XML input by the Expat application and library. These
CVEs impact multiple Aruba products.
Details can be found at:
https://nvd.nist.gov/vuln/detail/CVE-2022-25235https://nvd.nist.gov/vuln/detail/CVE-2022-25236https://nvd.nist.gov/vuln/detail/CVE-2022-25313https://nvd.nist.gov/vuln/detail/CVE-2022-25314https://nvd.nist.gov/vuln/detail/CVE-2022-25315Affected Products
=================
- AirWave Management Platform
- 8.2.14.0 and below
- Aruba Analytics and Location Engine
- 2.2.0.2 and below
- Aruba Fabric Composer (AFC) and Plexxi Composable Fabric Manager (CFM)
- 6.2.0 and below
- Aruba Central On-Premises
-2.5.4.x and below
- Aruba ClearPass Policy Manager
- 6.10.4 and below
- 6.9.10 and below
- 6.8.9 without Hotfix for Q1 2022 Security issues
- ArubaOS-CX Switches
- 10.09.1030 and below
- 10.08.1060 and below
- 10.07.0070 and below
- 10.06.0200 and below
- ArubaOS Wi-Fi Controllers and Gateways
- ArubaOS SD-WAN Gateways
- Please note that this only affected controllers and
gateways based on the x86 architecture
This includes the following models
- Aruba 9000 Series Controllers
- Aruba 9200 Series Controllers
- Aruba Virtual Mobility Controllers
- Aruba Virtual and Hardware-based Mobility Conductors
-The affected code versions are as follows
- ArubaOS 8.6.x: 8.6.0.18 and below
- ArubaOS 8.7.x: 8.7.1.9 and below
- ArubaOS 8.10.x: 8.10.0.2 and below
- ArubaOS 10.3.x: 10.3.1.0 and below
- SDWAN 2.X: 8.7.0.0-2.3.0.7 and below
- Aruba EdgeConnect Enterprise
- ECOS 9.1.1.3 and below
- ECOS 9.0.6.0 and below
- ECOS 8.3.6.0 and below
- Impact of this vulnerability on ECOS is very low.
- Aruba EdgeConnect Enterprise Orchestrator (on-premises)
- See resolution section for details
- Aruba Virtual Intranet Access (VIA)
- Affects macOS/OSX versions only. Others are unaffected
- 4.3.0 and below
Unaffected Products
===================
- Aruba Instant / Aruba Instant Access Points
- Aruba Instant On
- Aruba IntroSpect
- Aruba NetEdit
- Aruba User Experience Insight (UXI)
- ArubaOS-S Switches
- Aruba EdgeConnect Enterprise Orchestrator-as-a-Service
- Aruba EdgeConnect Enterprise Orchestrator-SP
- Aruba EdgeConnect Enterprise Orchestrator Global Enterprise
Other Aruba products not listed above are also not known to be
affected by these vulnerabilities.
Details
=======
Vulnerabilities have been identified in a commonly used
component in multiple Aruba products. These vulnerabilities
allow attackers to use specially crafted XML input to
potentially cause denial of service conditions or remote code
execution.
Details can be found at:
https://nvd.nist.gov/vuln/detail/CVE-2022-25235https://nvd.nist.gov/vuln/detail/CVE-2022-25236https://nvd.nist.gov/vuln/detail/CVE-2022-25313https://nvd.nist.gov/vuln/detail/CVE-2022-25314https://nvd.nist.gov/vuln/detail/CVE-2022-25315Internal references: ATLCP-191, ATLAX-60, ATLWL-293,
ATLWL-183, ATLWL-292, ATLWL-192,
ATLSP-1
CVSS Vectors and Scores provided by NVD as follows:
CVE-2022-25235 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - 9.8 critical
CVE-2022-25236 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - 9.8 critical
CVE-2022-25313 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H - 6.5 medium
CVE-2022-25314 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - 7.5 high
CVE-2022-25315 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - 9.8 critical
Aruba Threat Labs analyzed and tested these vulnerabilities
in the products using the affected component. What has been
found is that exploitation of this vulnerability is not
straightforward and dependent upon many factors that an
attacker may not be able to control.
Aruba has chosen to keep the NVD provided severity scores as a
reference. The impact on products using the affected component
is very low based on ongoing testing.
Resolution
==========
- AirWave Management Platform
- 8.2.14.1 and above
- Aruba Analytics and Location Engine
- 2.2.0.3 and above
Release ETA - late July 2022
- Aruba Fabric Composer (AFC) and Plexxi Composable Fabric Manager (CFM)
- 6.2.1 and above
- Aruba Central On-Premises
-2.5.5.0 and above
Release ETA - late July 2022
- Aruba ClearPass Policy Manager
- 6.10.5 and above
- 6.9.11 and above
- 6.8.9 with Hotfix for Q1 2022 Security issues applied
- ArubaOS-CX Switches
- 10.10.0002 and above
- 10.09.1031 and above
- 10.08.1070 and above
- 10.07.0080 and above
- 10.06.0210 and above
- ArubaOS Wi-Fi Controllers and Gateways
- ArubaOS SD-WAN Gateways
- Please note that this only affected controllers and
gateways based on the x86 architecture
This includes the following models
- Aruba 9000 Series Controllers
- Aruba 9200 Series Controllers
- Aruba Virtual Mobility Controllers
- Aruba Virtual and Hardware-based Mobility Conductors
-The fixed code versions are as follows
- ArubaOS 8.6.x: 8.6.0.19 and above
Release ETA - early September 2022
- ArubaOS 8.7.x: 8.7.1.10 and above
Release ETA - late July 2022
- ArubaOS 8.10.x: 8.10.0.3 and above
Release ETA - late August 2022
- ArubaOS 10.3.x: 10.3.1.1 and above
Release ETA - early August 2022
- SDWAN 2.X: 8.7.0.0-2.3.0.8 and above
Release ETA - late July 2022
- Aruba EdgeConnect Enterprise
- ECOS 9.1.1.4 and above
- ECOS 9.0.7.0 and above
- ECOS 8.3.7.0 and above
- Impact of this vulnerability on ECOS is very low.
Fixes will be applied only to the ECOS versions
that are listed above due to the minimal risk involved.
- Aruba EdgeConnect Enterprise Orchestrator (on-premises)
- Orchestrator does not use expat library. However:
- Customers using CentOS are suggested to run ‘yum
update expat’ from the administrative command line to
address this vulnerability; to verify if the patch has been
applied, run “rpm -q --changelog expat” and look for
the specific CVEs. If the output shows “Resolves”, the
patches for the CVE(s) have already been applied.
- OR -
- Upgrading (from 9.0.6 or later) to any newer Orchestrator
version automatically updates expat and resolves this
vulnerability.
- New virtual machine images already have the fix for this
vulnerability.
- Customers using Fedora must upgrade to CentOS for support
of security updates. Please contact Customer Support for
the procedure.
- Aruba Virtual Intranet Access (VIA)
- Affects macOS/OSX versions only. Others are unaffected
- 4.4.0 and above
Aruba does not evaluate or patch product versions that have
reached their End of Support (EoS) milestone. For more
information about Aruba's End of Support policy visit:
https://www.arubanetworks.com/support-services/end-of-life/Workaround
==========
To minimize the likelihood of an attacker exploiting these
vulnerabilities, Aruba recommends that the CLI and web-based
management interfaces be restricted to a dedicated layer 2
segment/VLAN and/or controlled by firewall policies at layer 3
and above.
Exploitation and Public Discussion
==================================
These vulnerabilities are being widely discussed in public.
Aruba is not aware of any exploitation tools or techniques that
specifically target Aruba products.
Revision History
================
Revision 1 / 2022-May-17 / Initial release
Revision 2 / 2022-Jun-01 / ClearPass Policy Manager information
added. EdgeConnect Enterprise
Orchestrator Cloud products moved to
unaffected.
Revision 3 / 2022-Jul-07 / AOS-CX information added.
Revision 4 / 2022-Jul-21 / Aruba Location Engine information added.
Aruba Central On-Premises information
added.
Aruba Virtual Intranet Access (VIA)
information added.
ArubaOS Wi-Fi Controllers and Gateways
information added
ArubaOS SD-WAN Gateways information added
Removed products under investigation section
Marked status as confirmed
Aruba SIRT Security Procedures
==============================
Complete information on reporting security vulnerabilities in
Aruba Networks products and obtaining assistance with security
incidents is available at:
https://www.arubanetworks.com/support-services/security-bulletins/For reporting *NEW* Aruba Networks security issues, email can
be sent to aruba-sirt(at)hpe.com. For sensitive information we
encourage the use of PGP encryption. Our public keys can be
found at:
https://www.arubanetworks.com/support-services/security-bulletins/(c) Copyright 2022 by Aruba, a Hewlett Packard Enterprise
company. This advisory may be redistributed freely after the
release date given at the top of the text, provided that the
redistributed copies are complete and unmodified, including all
data and version information.
-----BEGIN PGP SIGNATURE-----
iQFLBAEBCAA1FiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmLVYQoXHHNpcnRAYXJ1
YmFuZXR3b3Jrcy5jb20ACgkQmP4JykWFhtm2DQgAgHKBL6a1gyT8y8oxXsVGqvnm
sPz6aJUT1szX6Dw6SMVVAfZ3cv19V7i9wbiJg0+wQBc7w3+5tRAEqHiMn+0FDi3p
LirhNMvUk9AK+moQ/zi2MQT0WAbaAerrLH1hja2V3rSSySYXfyTVhcwwHDFnkISJ
LmMtQI9lKY8oGZ5q1MnQGGggtA54m3hY6TP7qN1te+/aMOUflobUfeKz0KmvA4Br
dkQtN3QEeElms4hSmr4aiO+OQat99TgKzb5lcIdEr/dgHcJFApD3IvRDxvbRK8yZ
TviMLDyFRh6yWjE6BsYlLFZSvu1fdMq589c8SujEkovOA14ifDq/MLhLvU58/g==
=qp2L
-----END PGP SIGNATURE-----
------------------------------
Aruba Instant On Communications
------------------------------