Network Management

Do we know if this affects Airwave in any way?

same question for ArubaOS, Instant and ClearPass i would say.

We have had our engineering teams looking at this since yesterday, and hope to have a statement ready by the end of the week.  If you read the original advisory, you know that it's a bit complicated and there are various mitigations that can make this a non-issue in some cases.  We're going through to determine whether the problem is exploitable on any of our products.

 

For AirWave specifically, you can preemptively apply a patch without waiting for our analysis.  Login to a root shell and execute "yum update glibc" - you'll get the RedHat updated version that way.  

At this point in our analysis, our conclusion is that no Aruba product is affected by this.  We'll update the C library in the next feasible maintenace release just to be safe, but we have gone through all of the relevant code and concluded that there's no way to trigger the vulnerability today.

Will be there be a security advisory sent out explaining that this isn't an issue?

I am really trying not to send out advisories for things that are NOT an actual vulnerability.  It seems to be difficult enough to get people to pay attention to the advisories that ARE problems - I worry that if we start notifying people when things aren't broken, it will get even worse.  It also sets a precedent - where do we draw the line on what we send out?  There's quite a bit of open-source code used by Aruba products.  Do we send notifications any time one of them has a vulnerability that doesn't affect us?

 

I'm open to suggestions on this.. any feedback from the community?

Thanks Jon. No worries just curious as I have been asked to report back to the customer whether this is a problem or not hence why I asked if a statement would go out.

 Once Aruba sets a precedent it is harder to change. I am of the same mind as Jon in not reacting to issues that in fact, are non-issues for Aruba products. I deal with within Aruba's Partner community each time there is an vulnerability annouced.

 

George Anderson

Aruba Channel Enablement Engineer

I do not agree. The Airwave platform is using a vulnerable version of GLIBC. The questions are: is that vulnerability currently exploitable and how soon will the vulnerability be patched. I would expect Aruba support to issue a statement informing the user base how exposed the current system is to an actual exploit and what is being done to update the software, even if that statement is "Airwave is not currently exploitable and an updated GLIBC will be included in a future maitenece upgrade".

William Thompson, I agree totally.  It is the minimum that I would expect from any vendor.  I am being asked by management which systems are affected by this vulneralbility and can find no information on Aruba's website.  Cisco's website, however, has all the information I would need to find out which products are affected and what actions are being taken to address the vulnerability.  Will anyone at Aruba step up to the plate?

We talked this over.  Given the number of "popular" vulnerabilities in the last year (the ones that get their own names and which make it into the mainstream news) it does make sense to publish information on these.  I have a request in to our website team to create a new section that I can use for this purpose.  Will update back on this thread once that is done.

I must say I am pleasantly surprised!  Thank you for the quick response Jon!

Is there any update on when we might see an official statement?

 

Thanks!

on what exactly, ghost 1.0 or ghost 2.0?

 

1.0 is explained above.

 

2.0 is mentioned here: http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2016-001-glibc.txt