Higher Education

Reply
This is an open group. Sign in and click the "Join Group" button to become a group member and start posting.
Highlighted
Contributor II
Posts: 53
Registered: ‎01-16-2013
OpenSSL vulnerability

All of our v6.4.0.2 controllers are reporting to be vulnerable to the zeroday OpenSSL bug.

 

Is there any timeline for updates/patches to close the hole.

 

We ACL block outside access to the controllers, but are limited to how much

we can scope inside access.

Mike Davis
Network Engineer
University of Delaware
Guru Elite
Posts: 8,460
Registered: ‎09-08-2010
Re: OpenSSL vulnerability

No new information, but there is already a post.

 

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Heartbleed-CVE-2014-0160-Problem/m-p/154248


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II
Posts: 53
Registered: ‎01-16-2013
Re: OpenSSL vulnerability

Thanks.. I searched for OpenSSL but didn't turn up anything, should have been searching for heartbleed :/

Mike Davis
Network Engineer
University of Delaware
Moderator
Posts: 27
Registered: ‎07-24-2012
Re: OpenSSL vulnerability

Everyone -

 

I'm the security product manager at Aruba.  Please note that this is not a formal communication, we will be posting a formal communication on our website according to our security policy shortly.  That update will be posted here - http://www.arubanetworks.com/support-services/security-bulletins/

 

We are still assessing our exposure to this vulnerability, but it clearly impacts AOS 6.3.x and AOS 6.4.x.  We are working on updates to these as I type this, with the intention of publishing them as soon as we can finish and complete testing.

 

Until then, reducing access to the web GUI via control plane ACLs makes sense.  Other steps to limit exposure will be published as they are identified, and included in the security bulletin.

 

We are doing a careful analysis of the impact - the problem with this attack is that it gives the attacker access to some parts of the memory of the attacked system.  The advice on the internet to change all private keys is based on the fear that the key could be in this segment of memory.  We're validating whether or not this is the case, but you will have to decide your organization's tolerance to this particular risk.

 

Thanks for your understanding, and we'll keep you informed.

Super Contributor II
Posts: 429
Registered: ‎01-19-2011
Re: OpenSSL vulnerability

Are the IAP products affected?

Aruba
Posts: 1,644
Registered: ‎04-13-2009
Re: OpenSSL vulnerability
[ Edited ]

No, IAP is not affected.  Only the following:

 

• ArubaOS 6.3.x, 6.4.x
• ClearPass 6.1.x, 6.2.x, 6.3.x

 

See http://www.arubanetworks.com/support/alerts/aid-040814.asc for details.

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

MVP
Posts: 1,422
Registered: ‎10-25-2011
Re: OpenSSL vulnerability
got an email today from the security team and they will be issuing new patches within the next couple of days to address the vulnerability.
Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACMP
[If you found my post helpful, please give kudos!]
Moderator
Posts: 27
Registered: ‎07-24-2012
Re: OpenSSL vulnerability
[ Edited ]

Images have been posted on the support site.

Regular Contributor I
Posts: 236
Registered: ‎04-03-2007
Re: OpenSSL vulnerability

I don't see an update for ClearPass..

Moderator
Posts: 27
Registered: ‎07-24-2012
Re: OpenSSL vulnerability

Ooops.  Sorry.  I was refering to AOS.  ClearPass should be up soon.

Search Airheads
Showing results for 
Search instead for 
Did you mean: