Aruba Product Security Advisory ARUBA-PSA-2017-003 (ClearPass)

—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

 

Aruba Product Security Advisory

===============================

Advisory ID: ARUBA-PSA-2017-003

CVE: CVE-2017-9804, CVE-2017-9793, CVE-2017-9805, CVE-2017-12611 Publication Date: 2017-Sep-11

Status: Confirmed

Revision: 1

 

 

Title

=====

Apache Struts Multiple Vulnerabilities

 

 

Overview

========

The Apache Struts group announced Struts version 2.3.34 on September 7, 2017. Included in this update were fixes for four security vulnerabilities.

Aruba ClearPass makes use of Apache Struts. This advisory provides details on Aruba’s exposure to these vulnerabilities.

— CVE-2017-9804 (Affected)

— CVE-2017-9793 (NOT affected)

— CVE-2017-9805 (NOT affected)

— CVE-2017-12611 (POSSIBLY affected)

 

 

Affected Products

=================

— ClearPass Policy Manager (all versions)

 

 

Unaffected Products

===================

— ArubaOS

— Aruba Instant

— AirWave

— ALE

— All Aruba cloud services including Aruba Central and Meridian

— IntroSpect

 

 

Details

=======

ClearPass 6.6.5 through 6.6.7 contains Apache Struts version 2.3.32.

 

Possible DoS attack when using URLValidator (CVE-2017-9804)

———————————————————–

The ClearPass Policy Manager administrative Web interface is affected by this

vulnerability.  ClearPass Guest, Insight, and Graphite are NOT affected.

This vulnerability is only exposed to authenticated administrative users

with read/write access to the system.

 

Severity: Low

CVSSv3 Overall Score: 2.7

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L

 

DoS attack when using REST plugin (CVE-2017-9793)

————————————————-

ClearPass does not use the REST plugin.

 

Remote Code Execution when using the REST plugin (CVE-2017-9805)

—————————————————————-

ClearPass does not use the REST plugin.

 

Remote Code Execution when using specific Freemarker tags (CVE-2017-12611)

————————————————————————–

ClearPass MAY be affected by this vulnerability.  In testing and analysis,

Aruba has been unable to successfully exploit this flaw or identify a path

for exploitation. Aruba will patch this vulnerability in ClearPass 6.6.8

and will update this advisory if new information becomes available.

Restricting access to the Admin Web Interface as described below will

limit the scope of this potential vulnerability.

 

 

Resolution

==========

Aruba will include a fix for CVE-2017-9804 in the next scheduled maintenance release, which is version 6.6.8.  The target release date for ClearPass

6.6.8 is September 27, 2017.

 

 

Workarounds

===========

As a standard best practice, Aruba recommends that ClearPass administrators restrict access to the Policy Manager Admin Web Interface. This can be accomplished by navigating to Administration >> Server Manager >> Server Configuration >> <Server-Name> >> Network >> Restrict Access and only allowing non-public or network management networks.

 

 

Revision History

================

 

Revision 1 / 2017-Sep-11 / Initial release

 

 

Aruba SIRT Security Procedures

==============================

 

Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at:

 

http://www.arubanetworks.com/support-services/security-bulletins/

 

 

For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at:

 

http://www.arubanetworks.com/support-services/security-bulletins/

 

 

(c) Copyright 2017 by Aruba, a Hewlett Packard Enterprise company.

This advisory may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, including all date and version information.

 

—–BEGIN PGP SIGNATURE—–

Version: GnuPG v2

 

iQEcBAEBCAAGBQJZtuxiAAoJEJj+CcpFhYbZShUH/3G2x86tP6s/06BzXh6xvfT1

9g7iPmRlWVnqWGQsypFhN7GuxHDCLhy7cwguXehvkBaMxruQd+BMAMsaJ+P9sCMo

0Ay4JzExAiy7n0DPFzRVMt00KcsHLgnO4yFvaEGMXxvYTQweiQESPtKZxGUdvSsW

+zp9yBOz0xlcTDGV3qil6sBJ4vBvLlou3ZOWQg/TQCGP2X4QumpYEoqo6PdyrL0e

Ca6klXifkqbsuNdb75mXrh6tdkeDHZPRs1h3lDVa5xaGA1M5PUd/lFf8GEgJIIkk

dPJdn+G054pLiyn83U0AP63J/jQfG6NMokmr/vUGIFXFExGw+890G6DQqxEgLgM=

=Dax6

—–END PGP SIGNATURE—–

 

Tags: , , , ,