Filtros

Filtrar por

Limpar tudo
Critical
Alto
Médio
Low
AirWave
Amigopod
Aruba-Switch
ArubaCX
ArubaOS
ArubaInstant
ArubaInstantON
ALE
Cape Sensors
ClearPass
Glass
Introspect
Meridian
NetEdit
Plexxi
VIA
Mostrando resultados
Critical

ArubaOS Multiple Vulnerabilities

CVE Number: CVE-2019-5318, CVE-2021-37716, CVE-2021-37717, CVE-2021-37718, CVE-2020-37719, CVE-2021-37720, CVE-2021-37721, CVE-2021-37722, CVE-2021-37723, CVE-2021-37724, CVE-2021-37725, CVE-2021-37728, CVE-2021-37729, CVE-2021-37731, CVE-2021-37733

Aruba has released patches for ArubaOS that address multiple security vulnerabilities.

Alto

AirWave Management Platform Multiple Vulnerabilities

CVE Number: CVE-2021-3156, CVE-2021-37715

Aruba has released updates to the AirWave Management Platform that address multiple security vulnerabilities.

Alto

Sudo Privilege Escalation Vulnerability in Analytics and Location Engine (ALE)

CVE Number: CVE-2021-3156

Aruba has released updates to Analytics and Location Engine (ALE) that address a security vulnerability in the sudo utility.

Alto

AOS-CX Devices Multiple Vulnerabilities

CVE Number: CVE-2020-25705, CVE-2021-29143, CVE-2021-29148, CVE-2021-29149

Aruba has released updates for wired switch products running AOS-CX that address multiple security vulnerabilities.

Alto

ClearPass Policy Manager Multiple Vulnerabilities

CVE Number: CVE-2020-14386, CVE-2021-3156, CVE-2021-29150, CVE-2021-29151, CVE-2021-29152, CVE-2021-34609, CVE-2021-34610, CVE-2021-34611, CVE-2021-34612, CVE-2021-34613, CVE-2021-34614, CVE-2021-34615, CVE-2021-34616

Aruba has released updates to ClearPass Policy Manager that address multiple security vulnerabilities.

Médio

802.11 Frame Aggregation and Fragmentation Vulnerabilities

CVE Number: CVE: CVE-2020-24586, CVE-2020-24587, CVE-2020-24588, CVE-2020-26139 CVE-2020-26140, CVE-2020-26141, CVE-2020-26142, CVE-2020-26143, CVE-2020-26144, CVE-2020-26145, CVE-2020-26146, CVE-2020-26147

Twelve new vulnerabilities related to different components in the implementation of the 802.11 standard have been published.

Successful exploitation of each one of these vulnerabilities can result in sensitive data disclosure and possibly traffic manipulation.

Alto

AirWave Management Platform Multiple Vulnerabilities

CVE Number: CVE-2021-25147, CVE-2021-25151, CVE-2021-25152, CVE-2021-25153, CVE-2021-25154, CVE-2021-25163, CVE-2021-25164, CVE-2021-25165, CVE-2021-25166, CVE-2021-25167, CVE-2021-29137

Aruba has released updates to the AirWave Management Platform that address multiple security vulnerabilities.

Critical

ClearPass Policy Manager Multiple Vulnerabilities

CVE Number: CVE-2020-7123, CVE-2021-29138, CVE-2021-29139, CVE-2021-29140, CVE-2021-29141, CVE-2021-29142, CVE-2021-29144, CVE-2021-29145, CVE-2021-29146, CVE-2021-29147

Aruba has released updates to ClearPass Policy Manager that address multiple security vulnerabilities.

Alto

SAD DNS side channel attack

CVE Number: CVE-2020-25705

A vulnerability made public under the name SAD DNS affects Domain Name System resolvers due to a vulnerability in the Linux kernel when handling ICMP packets. This vulnerability is present in some Aruba products which are listed below. For more information please see https://www.saddns.net/.

Critical

Aruba Instant (IAP) Multiple Vulnerabilities

CVE Number: CVE-2019-5317, CVE-2019-5319, CVE-2020-24635, CVE-2020-24636, CVE-2021-25143, CVE-2021-25144, CVE-2021-25145, CVE-2021-25146, CVE-2021-25148, CVE-2021-25149, CVE-2021-25150, CVE-2021-25155, CVE-2021-25156, CVE-2021-25157, CVE-2021-25158, CVE-2021-25159, CVE-2021-25160, CVE-2021-25161, CVE-2021-25162

Aruba has released patches for Aruba Instant that address multiple security vulnerabilities.

Low

Multiple Vulnerabilities in dnsmasq

CVE Number: CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25684 CVE-2020-25685, CVE-2020-25686, CVE-2020-25687

Seven new vulnerabilities were reported in the open-source component dnsmasq. This collection of vulnerabilities has been made public under the name DNSpooq.

Alto

AirWave Management Platform Multiple Vulnerabilities

CVE Number: CVE-2021-29960, CVE-2021-29961, CVE-2021-29962, CVE-2021-29963, CVE-2021-29964, CVE-2021-29965, CVE-2021-29966, CVE-2021-29967, CVE-2021-29968, CVE-2021-29969, CVE-2021-29970, CVE-2021-29971

Aruba has released updates to the AirWave Management Platform that address multiple security vulnerabilities.

Alto

ClearPass Policy Manager Multiple Vulnerabilities

CVE Number: CVE-2020-7120, CVE-2021-26677, CVE-2021-26678, CVE-2021-26679, CVE-2020-26680, CVE-2020-26681, CVE-2020-26682, CVE-2020-26683, CVE-2020-26684, CVE-2020-26685, CVE-2020-26686

Aruba has released updates to ClearPass Policy Manager that address multiple security vulnerabilities.

Alto

HPE and Aruba L2/L3 Switches, Remote Memory Corruption

CVE Number: CVE-2020-27337

A potential security vulnerability has been identified in certain HPE and Aruba L2/L3 switches. The vulnerability could be remotely exploited to cause memory corruption.

Médio

HPE and Aruba L2/L3 Switches, Local Denial of Service (DoS)

CVE Number: CVE-2021-25141

A security vulnerability has been identified in certain HPE and Aruba L2/L3 switch firmware. A data processing error due to improper handling of an unexpected data type in user supplied information to the switch's management interface has been identified. The data processing error could be exploited to cause a crash or reboot in the switch management interface and/or possibly the switch itself leading to local denial of service (DoS). The user must have administrator privileges to exploit this vulnerability.

Critical

AirWave Glass Multiple Vulnerabilities

CVE Number: CVE-2020-24638, CVE-2020-24639, CVE-2020-24640, CVE-2020-24641

Aruba has released updates to Airwave Glass that address multiple security vulnerabilities.

Critical

ArubaOS Multiple Vulnerabilities

CVE Number: CVE-2020-10713, CVE-2020-24633, CVE-2020-24634, CVE-2020-24637

Aruba has released patches for ArubaOS that address multiple security vulnerabilities.

Critical

AirWave Glass Multiple Vulnerabilities

CVE Number: CVE-2020-7124, CVE-2020-7125, CVE-2020-7126, CVE-2020-7127, CVE-2020-7128, CVE-2020-7129, CVE-2020-24631, CVE-2020-24632

Aruba has released updates to Airwave Glass that address multiple security vulnerabilities.

Low

TCP SACK PANIC - Kernel vulnerabilities

CVE Number: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479

Aruba has released updates to products affected by Linux Kernel vulnerabilities known as TCP SACK PANIC. Successful exploitation of the most severe of these vulnerabilities could allow a remote attacker to trigger a kernel panic and impact the system availability.

Alto

Multiple Memory Corruption Vulnerabilities for Aruba CX Switches

CVE Number: CVE-2020-7121, CVE-2020-7122

Four memory corruption vulnerabilities in the Aruba CX Switches have been found. Successful exploitation of these vulnerabilities could result in Local Denial of Service of both LLDP (Link Layer Discovery Protocol) and CDP (Cisco Discovery Protocol) processes in the switch.

Alto

Authenticated arbitrary file modification vulnerability in Analytics and Location Engine (ALE)

CVE Number: CVE-2020-7119

Aruba has released an update to Analytics and Location Engine (ALE) that addresses a high severity vulnerability in the Web Management Interface of this product.

Alto

Multiple vulnerabilities in Web Management Interface for Aruba Intelligent Edge Switches

CVE Number: CVE-2019-5320, CVE-2019-5321

Two vulnerabilities in the Aruba Intelligent Edge Switches web management interface have been found. Successful exploitation of these vulnerabilities could result in unauthorized administrative access to the switch.

Critical

"Ripple20" Multiple Vulnerabilities affecting the Treck TCP/ IP stack

CVE Number: CVE-2020-11896, CVE-2020-11897, CVE-2020-11898, CVE-2020-11899, CVE-2020-11900, CVE-2020-11901, CVE-2020-11902, CVE-2020-11903, CVE-2020-11908, CVE-2020-11909, CVE-2020-11910, CVE-2020-11911, CVE-2020-11912, CVE-2020-11913, CVE-2020-11914

A collection of vulnerabilities known as "Ripple20" affect the Treck TCP/IP stack implementation. Successful exploitation of these vulnerabilities could result in denial of service, information disclosure or remote code execution. This is a preliminary advisory based on initial investigation; it will be updated as new information becomes known. Aruba has not yet performed a complete analysis of impact; CVSS scores listed below represent the worst case scenario and actual severity may be less than reported here.

Alto

ClearPass Policy Manager Multiple Vulnerabilities

CVE Number: CVE-2020-7115, CVE-2020-7116, CVE-2020-7117

Aruba has released updates to ClearPass Policy Manager that address multiple security vulnerabilities.

Critical

ClearPass Policy Manager Multiple Vulnerabilities

CVE Number: CVE-2020-7110, CVE-2020-7111, CVE-2020-7113, CVE-2020-7114

Aruba has released updates to ClearPass Policy Manager that address multiple security vulnerabilities.

Low

WPA and WPA2 Disassociation Vulnerability ("Kr00k")

CVE Number: CVE-2019-15126

A timing flaw in certain Wi-Fi chip firmware may allow an attacker to decrypt a limited amount of WPA2-encrypted frames using a known all-zero key. Some Aruba products are affected by this vulnerability. This is a preliminary advisory based on initial investigation; it will be updated as new information becomes known.

Médio

AirWave Management Platform Multiple Vulnerabilities

CVE Number: CVE-2019-5323, CVE-2019-5326

Multiple Remote Code Execution Vulnerabilities have been uncovered in the AirWave Management Platform. An attacker who is able to exploit these vulnerabilities could run untrusted arbitrary commands or code on the AirWave platform. All three vulnerabilities require the attacker to be authenticated to the administrative interface of AirWave.

Alto

Information Disclosure in Web Management Interface for Aruba Intelligent Edge Switches

CVE Number: CVE-2019-5322

An information disclosure vulnerability is present in Aruba Intelligent Edge Switches which allows an attacker to retrieve sensitive system information. This attack can be carried out without user authentication under very specific conditions.

Alto

Aruba Mobility Controller Multiple Remote Code Execution Vulnerabilities

CVE Number: CVE-2018-7081, CVE-2019-5314, CVE-2019-5315

Aruba has released updates to ArubaOS that address serious vulnerabilities present in some versions running on the Aruba Mobility Controller. An attacker could use these vulnerabilities to execute arbitrary code on the underlying operating system with full system privileges.

Low

Aruba Impact for CPU Side-Channel Attacks

CVE Number: CVE-2017-5715, CVE-2017-5753, CVE-2017-5754, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091

This is an update to ARUBA-PSA-2018-001. Since the publication of that advisory, a number of additional CPU side-channel attacks have been demonstrated and theorized, with names such as MDS (Microarchitectural Data Sampling), ZombieLoad, Fallout, RIDL and Store-to-Leak Forwarding. All of these techniques share similar traits. Aruba is not affected by these vulnerabilities. The text of this advisory will continue to apply to future related vulnerabilities unless Aruba issues an advisory to the contrary.

N/A

WPA3 Multiple Vulnerabilities

CVE Number: CVE-2019-9494

On April 10, 2019 a research paper by Mathy Vanhoef and Eyal Ronen was released documenting a series of potential vulnerabilities in implementations of WPA3 and EAP-pwd (RFC 5931). Details on EAP-pwd vulnerabilities have not yet been released. This advisory covers only WPA3 vulnerabilities.

Critical

Aruba Instant Multiple Vulnerabilities

CVE Number: CVE-2018-7064, CVE-2018-7082, CVE-2018-7083, CVE-2018-7084, CVE-2018-16417

Aruba has released updates to Aruba Instant (IAP) that address multiple serious vulnerabilities. The most significant vulnerability is rated CRITICAL with a CVSS score of 9.8.

Critical

ClearPass Policy Manager Multiple Vulnerabilities

CVE Number: CVE-2018-7063, CVE-2018-7065, CVE-2018-7066, CVE-2018-7067, CVE-2018-7079

Aruba has released an update to ClearPass Policy Manager that addresses multiple security vulnerabilities.

Alto

Aruba BLE Radio Firmware Vulnerability

CVE Number: CVE-2018-7080

A vulnerability exists in the firmware of embedded BLE radios that are part of some Aruba access points. An attacker who is able to exploit the vulnerability could install new, potentially malicious firmware into the AP's BLE radio and could then gain access to the AP's console port. Aruba products are NOT affected by a similar vulnerability being tracked as CVE-2018-16986.

N/A

Apache Struts Vulnerability in ClearPass Policy Manager

CVE Number: CVE-2018-11776

Apache Struts versions 2.3 prior to 2.3.35 suffers from a possible Remote Code Execution vulnerability. After examination of the source code and extensive testing using both commercial vulnerability scanners and exploit-specific test scripts, Aruba has determined that ClearPass is not affected by the latest vulnerability in Apache Struts.

Alto

Linux Kernel Vulnerabilities in ClearPass and AirWave

CVE Number: CVE-2018-5390, CVE-2018-5391

Two Linux kernel vulnerabilities, known as "SegmentSmack" and "FragmentSmack", have been publicly disclosed. The Linux kernel used by Aruba ClearPass Policy Manager and Aruba AirWave is affected. Other Aruba products are not affected.

N/A

Return Of Bleichenbacher's Oracle Threat (ROBOT)

CVE Number: CVE-2017-13099

The cryptography library used by Aruba Instant provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange is negotiated. An attacker may be able to recover private keys for X.509 certificates. This vulnerability is referred to as "ROBOT."

Critical

ClearPass Policy Manager Multiple Vulnerabilities

CVE Number: CVE-2018-7058, CVE-2018-7059, CVE-2018-7060, CVE-2018-0489

Aruba has released an update to ClearPass Policy Manager that addresses four security vulnerabilities.

N/A

Unauthorized Memory Disclosure through CPU Side-Channel Attacks ("Meltdown" and "Spectre")

CVE Number: CVE-2017-5715, CVE-2017-5753, CVE-2017-5754

Vulnerabilities exist in multiple modern CPU architectures that could permit an attacker to read the contents of memory. Aruba products are not affected by these vulnerabilities, based on how the products are accessed.

Médio

WPA2 Key Reinstallation Vulnerabilities (CVE-2017-13077)

CVE Number: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088

Common industry-wide flaws in WPA2 key management may allow an attacker to decrypt, replay, and forge some frames on a WPA2 encrypted network. The accompanying FAQ document provides more extensive details.

Alto

ArubaOS Multiple Vulnerabilities

CVE Number: CVE-2017-9000, CVE-2017-9003

Multiple flaws are present in ArubaOS that may permit an unauthenticated user to access files, corrupt memory, and potentially execute remote code. Software updates are available to address these vulnerabilities.

Alto

Multiple Vulnerabilities in 'dnsmasq'

CVE Number: CVE-2017-14491, CVE-2017-14492, CVE-2017-14493, CVE-2017-14494, CVE-2017-14495, CVE-2017-14496

Multiple serious vulnerabilities were reported in the open-source component "dnsmasq". These vulnerabilities primarily represent a denial-of-service risk, but they could also potentially be leveraged to lead to remote code execution.

Alto

ClearPass Policy Manager Multiple Vulnerabilities

CVE Number: CVE-2017-9001, CVE-2017-9002

Aruba has released an update to ClearPass Policy Manager that addresses two security vulnerabilities.

Low

Apache Struts Multiple Vulnerabilities

CVE Number: CVE-2017-9804, CVE-2017-9793, CVE-2017-9805, CVE-2017-12611

The Apache Struts group announced Struts version 2.3.34 on September 7, 2017. Included in this update were fixes for four security vulnerabilities. Aruba ClearPass makes use of Apache Struts. This advisory provides details on Aruba's exposure to these vulnerabilities: CVE-2017-9804 (Affected), CVE-2017-9793 (NOT affected), CVE-2017-9805 (NOT affected), CVE-2017-12611 (POSSIBLY affected).

Alto

HPE Aruba ClearPass Policy Manager, Multiple Vulnerabilities

CVE Number: CVE-2017-5824, CVE-2017-5825, CVE-2017-5826, CVE-2017-5827, CVE-2017-5828, CVE-2017-5829, CVE-2017-5647

Potential security vulnerabilities have been identified in HPE Aruba ClearPass Policy Manager. The vulnerabilities could be remotely exploited to allow access restriction bypass, arbitrary command execution, cross site scripting (XSS), escalation of privilege and disclosure of information.

Alto

HPE Aruba AirWave Glass, Remote Code Execution

CVE Number: CVE-2017-8946

A potential vulnerability in HPE Aruba AirWave Glass 1.0.0 and 1.0.1 could be remotely exploited to allow remote code execution.

Critical

Apache Struts Remote Code Execution Vulnerability

CVE Number: CVE-2017-5638

An unauthenticated remote code execution vulnerability in the Apache Struts 2 package has been publicly reported. This advisory details Aruba's exposure to this vulnerability.

Médio

AirWave Management Platform Multiple Vulnerabilities

CVE Number: CVE-2016-8526, CVE-2016-8527

This week, Aruba expects a security consulting firm to publicly disclose two vulnerabilities in Aruba AirWave. The first is an XML External Entity (XXE) vulnerability, while the second is a reflected cross-site scripting (XSS) vulnerability. Both vulnerabilities exist in the VisualRF component of AirWave. Both vulnerabilities require authentication using valid administrative credentials.

Alto

"Dirty Cow" Linux Kernel Vulnerability (CVE-2016-5195)

CVE Number: CVE-2016-5195

A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged, local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system. Multiple Aruba products are built on top of Linux.

Critical

ClearPass Policy Manager Multiple Vulnerabilities

CVE Number: CVE-2016-4401

Multiple vulnerabilities have been fixed in ClearPass Policy Manager. Update to the latest supported version to address all vulnerabilities.

Médio

ClearPass Policy Manager Multiple Vulnerabilities

CVE Number: CVE-2016-2107, CVE-2016-2118, CVE-2016-2034

Multiple vulnerabilities exist in ClearPass Policy Manager. Given the severity of these issues, customers are urged to update their software immediately by applying a hotfix patch.

Médio

ArubaOS Multiple Vulnerabilities

CVE Number: CVE-2016-0801, CVE-2016-0802, CVE-2015-8605

Multiple vulnerabilities have recently been fixed in ArubaOS.

Critical

ClearPass Policy Manager Multiple Vulnerabilities

CVE Number: CVE-2016-2033

Multiple vulnerabilities exist in ClearPass Policy Manager. Given the severity of these issues, customers are urged to update their software immediately.

N/A

ArubaOS PAPI Vulnerabilities

CVE Number:

Although this information was previously disclosed, an impending public disclosure by the Google Security Team (focused on Aruba Instant) will call out the vulnerable details of this protocol and bring it to the attention of the attacker community.

Médio

Aruba Instant Multiple Vulnerabilities

CVE Number: CVE-2016-2031, CVE-2016-0801, CVE-2016-0802

Multiple vulnerabilities exist in Aruba Instant. The contents of this advisory are subject to an impending public disclosure by the Google Security Team under a 90-day disclosure deadline; therefore customers are advised to treat this advisory urgently.

Low

AirWave Management Platform Multiple Vulnerabilities

CVE Number: CVE-2016-2032

Multiple vulnerabilities exist in the AirWave Management Platform. The contents of this advisory are subject to an impending public disclosure by the Google Security Team under a 90-day disclosure deadline; therefore customers are advised to treat this advisory urgently.

Alto

SAMR and LSA man in the middle attacks ("BADLOCK")

CVE Number: CVE-2016-2118

The MS-SAMR and MS-LSAD protocol implementations in Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 mishandle DCERPC connections, which allows man-in-the-middle attackers to perform protocol-downgrade attacks and impersonate users by modifying the client-server data stream, aka "BADLOCK."

N/A

OpenSSL Multiple Vulnerabilities (March 2016)

CVE Number: CVE-2016-0800, CVE-2016-0705, CVE-2016-0798, CVE-2016-0797, CVE-2016-0799, CVE-2016-0702, CVE-2016-0703, CVE-2016-0704

Multiple vulnerabilities exist in OpenSSL. For more details, see theoriginal OpenSSL advisory at https://www.openssl.org/news/secadv/20160301.txt.

Alto

glibc getaddrinfo() Stack-Based Buffer Overflow

CVE Number: CVE-2015-7547

A security vulnerability in the GNU C library is having widespread impact in the IT product vendor community. Aruba Networks is affected by this vulnerability and will be issuing multiple software updates.

Médio

ArubaOS Multiple Vulnerabilities

CVE Number: CVE-2015-5437

This advisory covers three vulnerabilities in ArubaOS: Reflected Cross-Site Scripting, Cross-Site Request Forgery, and Crafted frame causes AP-225 reboot.

Médio

Network Time Protocol Daemon (NTPD) Multiple Vulnerabilities

CVE Number: CVE-2015-7704, CVE-2015-7705, CVE-2015-7852, CVE-2015-7871

The NTP Project (www.ntp.org) announced multiple vulnerabilities in NTPD on October 21, 2015. For full details, see http://support.ntp.org/bin/view/Main/SecurityNotice#October_2015_NTP_Security_Vulner. Multiple Aruba products incorporate NTPD and are vulnerable to a subset of the announced vulnerabilities.

Critical

ClearPass Policy Manager Multiple Vulnerabilities

CVE Number: CVE-2015-3653, CVE-2015-3654, CVE-2015-3655, CVE-2015-3656, CVE-2015-3657, CVE-2015-4649, CVE-2015-4650

Multiple vulnerabilities exist in ClearPass Policy Manager. Multiple vulnerabilities in this advisory have a severity of "high". Customers are encouraged to upgrade to ClearPass 6.4.7 or ClearPass 6.5.2 as soon as possible.

Médio

OpenSSL Alternative chains certificate forgery

CVE Number: CVE-2015-1793

On July 9, 2015, the OpenSSL Project reported a high-severity vulnerability in certain versions of OpenSSL. The vulnerability affects processing of certificate trust chains. ClearPass version 6.5.2 was released on June 26, 2015 and contains OpenSSL version 1.0.1o, which is affected by the vulnerability.

Médio

OpenSSL Multiple Vulnerabilities (19 March 2015)

CVE Number: CVE-2015-0286, CVE-2015-0289, CVE-2015-0209, CVE-2015-0292

Multiple vulnerabilities exist in OpenSSL. For more details, see the original OpenSSL advisory at https://www.openssl.org/news/secadv_20150319.txt. This is a preliminary advisory - revisions will be posted as new information becomes available.

Alto

ClearPass Policy Manager Multiple Vulnerabilities

CVE Number: CVE-2015-1389, CVE-2015-1392, CVE-2015-1550, CVE-2014-6628, CVE-2015-1551

Multiple vulnerabilities exist in ClearPass Policy Manager. One of these has a severity of "high".

Alto

AirWave Multiple Vulnerabilities

CVE Number: CVE-2015-1390, CVE-2015-1391, CVE-2015-2201, CVE-2015-2202

Multiple vulnerabilities exist in AirWave.

Low

Aruba Remote Access Point (RAP) Command Injection

CVE Number: CVE-2015-1388

Aruba has identified a problem with the "RAP Console" feature used in Aruba access points operating in Remote AP mode.

Low

OpenSSL Multiple Vulnerabilities (08 January 2015)

CVE Number: CVE-2014-3571, CVE-2015-0206, CVE-2014-3569, CVE-2014-3572, CVE-2015-0204, CVE-2015-0205, CVE-2014-8275, CVE-2014-3570

Multiple vulnerabilities exist in OpenSSL. For more details, see the original OpenSSL advisory at https://www.openssl.org/news/secadv_20150108.txt.

N/A

Buffer Overflow in glibc, aka “GHOST”

CVE Number: CVE-2015-0235

Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka "GHOST".

Low

Aruba Instant (IAP) Wireless DoS Attack

CVE Number: CVE-2015-1348

Aruba has identified a problem with Aruba Instant firmware which could allow an attacker to crash or clear the configuration of an access point through a wireless interface.

Médio

Unauthenticated SQL Injection Vulnerability in ClearPass Policy Manager

CVE Number: CVE-2014-8367

A component of ClearPass Policy Manager is vulnerable to a read-only SQL injection attack by an unauthenticated user with access to the data network or the management network.

Alto

Aruba ClearPass Multiple Vulnerabilities (October 2014)

CVE Number: CVE-2014-5342, CVE-2014-6620, CVE-2014-6621, CVE-2014-6622, CVE-2014-6623, CVE-2014-6624, CVE-2014-6625, CVE-2014-6626, CVE-2014-6627

Multiple vulnerabilities have been discovered in the Aruba ClearPass product family. Please upgrade to the latest release to resolve the discovered vulnerabilities.

Low

SSL 3.0 “POODLE” Attack

CVE Number: CVE-2014-3566

On October 14, 2014, the Google Security Team announced a practical attack against the SSL 3.0 protocol that could allow an attacker to recover encrypted plaintext from an HTTPS session. This advisory describes Aruba's exposure to the attack.

Alto

ArubaOS Authentication Bypass Vulnerability

CVE Number: CVE-2014-7299

A vulnerability has been found in some ArubaOS versions that may permit unauthenticated access to administrative interfaces of Aruba controllers.

Low

GNU bash Shell Multiple Vulnerabilities

CVE Number: CVE-2014-6271, CVE-2014-7169, CVE-2014-6277, CVE-2014-6278

On September 24, 2014, a public announcement was made regarding a vulnerability in the GNU 'bash' shell that could permit remote code execution. This vulnerability was assigned CVE-2014-6271 and fixes were published. The fix was incomplete, and a second vulnerability (CVE-2014-7169) was published. Over the following days, additional vulnerabilities (CVE-2014-6277 and CVE-2014-6278) were also made public.

Médio

OpenSSL Multiple Vulnerabilities (August 2014)

CVE Number: CVE-2014-3511

On August 6, 2014, the OpenSSL Foundation announced multiple vulnerabilities in OpenSSL through the advisory at https://www.openssl.org/news/secadv_20140806.txt. A number of Aruba Networks products make use of OpenSSL. This advisory has been created to describe Aruba's exposure to these vulnerabilities.

Médio

SQL Injection and Credential Disclosure Vulnerability in Aruba Networks ClearPass Policy Manager

CVE Number: CVE-2014-4013, CVE-2014-4031

SQL Injection and Credential Disclosure vulnerabilities have been discovered in Aruba Networks ClearPass Policy Manager. This advisory describes ClearPass' exposure to these vulnerabilities.

Médio

OpenSSL Multiple Vulnerabilities

CVE Number: CVE-2014-0224

On June 5, 2014, the OpenSSL Foundation announced multiple vulnerabilities in OpenSSL through the advisory at http://www.openssl.org/news/secadv_20140605.txt. A number of Aruba Networks products make use of OpenSSL. This advisory has been created to describe Aruba's exposure to these vulnerabilities.

Alto

Apache Struts2 Vulnerability in Aruba Networks ClearPass Policy Manager

CVE Number: CVE-2014-0050, CVE-2014-0094, CVE-2014-0112, CVE-2014-0113

Denial of Service and code execution vulnerabilities in Apache Struts were revealed through CVE-2014-0050, CVE-2014-0094, CVE-2014-0112, and CVE-2014-0113. These could allow a malicious user to potentially cause a denial of service, or manipulate the ClassLoader thereby allowing remote code execution.

Alto

Privilege Elevation Vulnerability in ClearPass Policy Manager for Authenticated Network Users

CVE Number: CVE-2014-2071, CVE-2014-2593

If ClearPass is configured to use tunneled and non-tunneled authentication methods within a single policy construct (Service), a network user with independent inner and outer identities could receive elevated network privileges while using a tunneled EAP method to connect to the network.

Médio

OpenSSL 1.0.1 library (Heartbleed) vulnerability

CVE Number: CVE-2014-0160

There is a very serious vulnerability that has been discovered in the OpenSSL 1.0.1 library. This vulnerability can allow an external attacker to extract segments of memory from a remote system without leaving any traces. This memory could contain vital security information, including private keys. These keys, in turn, could be used to mount a man-in-the-middle attack.

Alto

Apache Struts2 Vulnerability in Aruba Networks ClearPass Policy Manager

CVE Number: CVE-2013-2248, CVE-2013-2251

Remote code execution and redirection vulnerabilities in Apache Struts were revealed on 07/20/2013 through CVE-2013-2248 and CVE-2013-2251. These allow a malicious user to execute Struts OGNL expressions using Struts' action/redirect/redirectAction prefixes to evaluate OGNL expressions.

Low

Sponsor Confirmation Approval Bypass Vulnerability in Aruba Networks ClearPass Guest product

CVE Number: CVE-2013-2269

When customers use the default settings for Sponsorship Confirmation, there exists a possibility that anyone – not just the sponsor – could approve a request. This could allow unauthorized access to the guest network and whatever access it may have inside the organization.

Low

Multiple Vulnerabilities in OpenSSL

CVE Number: CVE-2013-0166

On February 5, 2013 the OpenSSL Project issued three vulnerability notices regarding various versions of OpenSSL, an open-source cryptographic library. A number of Aruba Networks products make use of OpenSSL, including ArubaOS, AirWave, and ClearPass Policy Manager. This advisory provides information on how the OpenSSL vulnerabilities affect Aruba customers.

Alto

OS Command Injection Vulnerability in Aruba Remote Access Point Diagnostic Web Interface

CVE Number:

An OS command injection vulnerability has been discovered in the Aruba Remote Access Point's Diagnostic Web Interface. When running the diagnostic web interface, arbitrary system commands can be executed as the root user on the Remote device by an unauthenticated attacker.

Médio

Cross Site Scripting vulnerability in ArubaOS Administration Web Interface

CVE Number: CVE-2013-2290

A persistent Cross Site Scripting vulnerability (XSS) was discovered through which an attacker could plant an AP with maliciously crafted SSID in the general vicinity of the wireless LAN and might be able to trigger a XSS attack in the dashboard section of the ArubaOS Administration WebUI.

Médio

Cross Site Scripting vulnerability in ArubaOS and AirWave Administration Web Interfaces

CVE Number:

A persistent Cross Site Scripting vulnerability (XSS) was discovered where an attacker could plant an AP with maliciously crafted SSID in the general vicinity of the wireless LAN and might be able to trigger a XSS vulnerability in the reporting sections of the ArubaOS and AirWave Administration WebUIs.

Médio

Aruba Mobility Controller – multiple advisories: DoS and authentication bypass

CVE Number:

A Denial of Service (DoS) vulnerability was discovered during standard bug reporting procedures. A malformed 802.11 probe request frame causes a crash on the Access Point (AP) causing a temporary DoS condition for wireless clients. Prior successful security association with the wireless network is not required to cause this condition. The AP recovers automatically by restarting itself.

Médio

TLS Protocol Session Renegotiation Security Vulnerability

CVE Number: CVE-2009-3555

This advisory addresses the renegotiation related vulnerability disclosed recently in Transport Layer Security protocol [1][2]. This vulnerability may allow a Man-in-the-Middle (MITM) attacker to inject arbitrary data into the beginning of the application protocol stream protected by TLS.

Médio

Malformed 802.11 Association Request frame causes Denial of Service condition on an Access Point

CVE Number:

A Denial of Service (DoS) vulnerability was discovered during standard bug reporting procedures. A malformed 802.11 association request frame causes a crash on the Access Point (AP) causing a temporary DoS condition for wireless clients. Prior successful security association with the wireless network is not required to cause this condition. The AP recovers automatically by restarting itself.

Médio

Management User Authentication Bypass Vulnerability When Using Public Key Based SSH Authentication

CVE Number:

A management user authentication bypass vulnerability was discovered during standard internal bug reporting procedures in the Aruba Mobility Controller. This vulnerability only affects customers using public key based SSH authentication for controller management users.

Médio

DoS Vulnerability in Aruba Mobility Controller Caused by Malformed EAP Frame

CVE Number:

A Denial of Service (DoS) vulnerability was discovered during standard bug reporting procedures in the Aruba Mobility Controller. A malformed EAP frame causes a process crash on the Aruba Mobility Controller causing a temporary DoS condition for new clients configured to use EAP authentication. Prior successful security association is not required to cause this condition. The Mobility Controller recovers automatically by restarting the affected process.

Alto

Aruba Mobility Controller TACACS User Authentication and Cross Site Scripting Vulnerabilities

CVE Number:

A user authentication vulnerability was discovered during standard bug reporting procedures in the Aruba Mobility Controller. This vulnerability only affects customers using TACACS authentication for Controller management users.

Alto

Aruba Mobility Controller User Authentication Vulnerability

CVE Number:

A user authentication vulnerability was discovered during standard bug reporting procedures in the Aruba Mobility Controller. This vulnerability affects customers using versions at or below 2.3.6.15, 2.5.2.11, 2.5.4.25, 2.5.5.7, 3.1.1.3, and 2.4.8.11-FIPS using LDAP authentication for management and VPN (PAP-L2TP) users.

Alto

Aruba Mobility Controller Management Interface Session Cookie Vulnerability

CVE Number:

A session cookie vulnerability was discovered during an internal audit of the Aruba Mobility Controller.

Alto

Aruba Mobility Controller Management Interface Login Pages Cross-Site Scripting

CVE Number: CVE-2007-6054

Persistent XSS on Aruba 800 Mobility Controller's login page.

Médio

Aruba Mobility Controller Management Interface Buffer Overflow

CVE Number:

A buffer overflow vulnerability was discovered during an external security audit of the Aruba Mobility Controller. This vulnerability affects customers using all versions of the Aruba Controller beginning with version 2.4. Certain malformed inputs to the management interfaces (web UI or CLI) will cause the system to crash.

Alto

Aruba Mobility Controller Guest User Privilege Escalation

CVE Number:

A privilege escalation vulnerability was discovered during an external security audit of the Aruba Mobility Controller. This vulnerability affects customers using all versions of the Aruba Controller beginning with version 2.3. Knowledge of this internal account may permit unauthorized access to the wireless LAN via the captive portal or VPN interfaces, as well as access to administrative functions of the Mobility Controller through the CLI and web UI and login interfaces.

N/A

VPN ISAKMP Message Processing Denial of Service

CVE Number:

CERT-FI has released today vulnerabilities in the IKE negotiation found by the tool developed by the Oulu University Secure Programming Group (OUSPG).

Alto

SSH tunneling allowed through Aruba devices

CVE Number:

SSH tunneling (port forwarding) through the Aruba devices is allowed.

N/A

IPsec configurations may be vulnerable to information disclosure

CVE Number: CAN-2005-0039

The NISCC (UK National Infrastructure Security Co-ordination Centre) has made public an advisory that describes three attacks that apply to certain configurations of IPsec. IP Security (IPsec) is a set of protocols developed by the Internet Engineering Task Force (IETF) to support secure exchange of packets at the IP layer; IPsec has been deployed widely, including wireless lan environments, to implement Virtual Private Networks (VPNs). These three attacks apply to certain IPsec configurations that use Encapsulating Security Payload (ESP) in tunnel mode with confidentiality only, or with integrity protection being provided by a higher layer protocol. Some configurations using AH to provide integrity protection are also vulnerable.

Médio

Risk of multiple Denial of Service attacks using modified ICMP packets

CVE Number:

The Internet Engineering Task Force has made available to the public a document that describes how to use the Internet Control Message protocol to perform multiple Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP), using modified ICMP packets.

N/A

Aruba switches are vulnerable to a PPTP exploit

CVE Number:

Aruba switches are vulnerable to a PPTP exploit, even if the device is not configured to use this VPN feature due to a buffer overflow.

N/A

ISC DHCP contains C includes that define "vsnprintf" to "vsprintf" creating potential buffer overflow conditions

CVE Number: CAN-2004-0461

It was disclaimed by ISC, via CERT, that ISC DHCP contains C includes that define "vsnprintf" to "vsprintf" creating potential buffer overflow conditions.

N/A

ISC DHCPD contains a stack buffer overflow vulnerability in handling log lines containing ASCII characters only

CVE Number: CAN-2004-0460

Specially crafted DHCP packets cause a stack overflow in the Internet Software Consortium (ISC) DHCPD server. Aruba Networks products are not affected by this vulnerability.

Médio

IEEE 802.11 wireless network protocol DSSS CCA algorithm vulnerable to denial of service

CVE Number: CVE-2004-0459

A Denial of Service vulnerability for 802.11 devices was made public on 05/13/2004 by http://www.cert.org. The vulnerability alert disclosed how an attacker using an 802.11 device could mount a denial of service attack exploiting the CCA function of the 802.11 MAC. This attack would cause the 802.11 devices within the physical vicinity of the attacker to assume that the channel is busy and withhold their transmissions.

Alto

SSH vulnerabilities

CVE Number:

Versions of the OpenSSH server prior to 3.7.1 contain buffer management errors. Although the real impact of these vulnerabilities are unclear, they may lead to memory corruption and a possible denial-of-service situation.