on 04-08-2014 08:25 AM
All of our v126.96.36.199 controllers are reporting to be vulnerable to the zeroday OpenSSL bug.
Is there any timeline for updates/patches to close the hole.
We ACL block outside access to the controllers, but are limited to how much
we can scope inside access.
University of Delaware
on 04-08-2014 08:28 AM
No new information, but there is already a post.
on 04-08-2014 10:18 AM
I'm the security product manager at Aruba. Please note that this is not a formal communication, we will be posting a formal communication on our website according to our security policy shortly. That update will be posted here - http://www.arubanetworks.com/support-services/security-bulletins/
We are still assessing our exposure to this vulnerability, but it clearly impacts AOS 6.3.x and AOS 6.4.x. We are working on updates to these as I type this, with the intention of publishing them as soon as we can finish and complete testing.
Until then, reducing access to the web GUI via control plane ACLs makes sense. Other steps to limit exposure will be published as they are identified, and included in the security bulletin.
We are doing a careful analysis of the impact - the problem with this attack is that it gives the attacker access to some parts of the memory of the attacked system. The advice on the internet to change all private keys is based on the fear that the key could be in this segment of memory. We're validating whether or not this is the case, but you will have to decide your organization's tolerance to this particular risk.
Thanks for your understanding, and we'll keep you informed.
04-09-2014 05:25 AM - edited 04-09-2014 05:26 AM
No, IAP is not affected. Only the following:
• ArubaOS 6.3.x, 6.4.x
• ClearPass 6.1.x, 6.2.x, 6.3.x
See http://www.arubanetworks.com/support/alerts/aid-040814.asc for details.
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX
on 04-09-2014 02:34 PM
ACDX #420 | ACMP
[If you found my post helpful, please give kudos!]