Aruba Product Security Advisory ARUBA-PSA-2017-003 (ClearPass)


Hash: SHA256


Aruba Product Security Advisory


Advisory ID: ARUBA-PSA-2017-003

CVE: CVE-2017-9804, CVE-2017-9793, CVE-2017-9805, CVE-2017-12611 Publication Date: 2017-Sep-11

Status: Confirmed

Revision: 1





Apache Struts Multiple Vulnerabilities





The Apache Struts group announced Struts version 2.3.34 on September 7, 2017. Included in this update were fixes for four security vulnerabilities.

Aruba ClearPass makes use of Apache Struts. This advisory provides details on Aruba’s exposure to these vulnerabilities.

— CVE-2017-9804 (Affected)

— CVE-2017-9793 (NOT affected)

— CVE-2017-9805 (NOT affected)

— CVE-2017-12611 (POSSIBLY affected)



Affected Products


— ClearPass Policy Manager (all versions)



Unaffected Products


— ArubaOS

— Aruba Instant

— AirWave


— All Aruba cloud services including Aruba Central and Meridian

— IntroSpect





ClearPass 6.6.5 through 6.6.7 contains Apache Struts version 2.3.32.


Possible DoS attack when using URLValidator (CVE-2017-9804)


The ClearPass Policy Manager administrative Web interface is affected by this

vulnerability.  ClearPass Guest, Insight, and Graphite are NOT affected.

This vulnerability is only exposed to authenticated administrative users

with read/write access to the system.


Severity: Low

CVSSv3 Overall Score: 2.7



DoS attack when using REST plugin (CVE-2017-9793)


ClearPass does not use the REST plugin.


Remote Code Execution when using the REST plugin (CVE-2017-9805)


ClearPass does not use the REST plugin.


Remote Code Execution when using specific Freemarker tags (CVE-2017-12611)


ClearPass MAY be affected by this vulnerability.  In testing and analysis,

Aruba has been unable to successfully exploit this flaw or identify a path

for exploitation. Aruba will patch this vulnerability in ClearPass 6.6.8

and will update this advisory if new information becomes available.

Restricting access to the Admin Web Interface as described below will

limit the scope of this potential vulnerability.





Aruba will include a fix for CVE-2017-9804 in the next scheduled maintenance release, which is version 6.6.8.  The target release date for ClearPass

6.6.8 is September 27, 2017.





As a standard best practice, Aruba recommends that ClearPass administrators restrict access to the Policy Manager Admin Web Interface. This can be accomplished by navigating to Administration >> Server Manager >> Server Configuration >> <Server-Name> >> Network >> Restrict Access and only allowing non-public or network management networks.



Revision History



Revision 1 / 2017-Sep-11 / Initial release



Aruba SIRT Security Procedures



Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at:



For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at) For sensitive information we encourage the use of PGP encryption. Our public keys can be found at:



(c) Copyright 2017 by Aruba, a Hewlett Packard Enterprise company.

This advisory may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, including all date and version information.



Version: GnuPG v2











Tags: , , , ,