Network Management

Reply
MVP
Posts: 1,422
Registered: ‎10-25-2011

GHOST: glibc gethostbyname buffer overflow - CVE-2015-0235

Do we know if this affects Airwave in any way?

Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACMP
[If you found my post helpful, please give kudos!]
MVP
Posts: 1,413
Registered: ‎11-30-2011

Re: GHOST: glibc gethostbyname buffer overflow - CVE-2015-0235

same question for ArubaOS, Instant and ClearPass i would say.

Moderator
Posts: 245
Registered: ‎09-12-2007

Re: GHOST: glibc gethostbyname buffer overflow - CVE-2015-0235

We have had our engineering teams looking at this since yesterday, and hope to have a statement ready by the end of the week.  If you read the original advisory, you know that it's a bit complicated and there are various mitigations that can make this a non-issue in some cases.  We're going through to determine whether the problem is exploitable on any of our products.

 

For AirWave specifically, you can preemptively apply a patch without waiting for our analysis.  Login to a root shell and execute "yum update glibc" - you'll get the RedHat updated version that way.  

---
Jon Green, ACMX, CISSP
Security Guy
Moderator
Posts: 245
Registered: ‎09-12-2007

Re: GHOST: glibc gethostbyname buffer overflow - CVE-2015-0235

At this point in our analysis, our conclusion is that no Aruba product is affected by this.  We'll update the C library in the next feasible maintenace release just to be safe, but we have gone through all of the relevant code and concluded that there's no way to trigger the vulnerability today.

---
Jon Green, ACMX, CISSP
Security Guy
MVP
Posts: 1,422
Registered: ‎10-25-2011

Re: GHOST: glibc gethostbyname buffer overflow - CVE-2015-0235

Will be there be a security advisory sent out explaining that this isn't an issue?
Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACMP
[If you found my post helpful, please give kudos!]
Moderator
Posts: 245
Registered: ‎09-12-2007

Re: GHOST: glibc gethostbyname buffer overflow - CVE-2015-0235

I am really trying not to send out advisories for things that are NOT an actual vulnerability.  It seems to be difficult enough to get people to pay attention to the advisories that ARE problems - I worry that if we start notifying people when things aren't broken, it will get even worse.  It also sets a precedent - where do we draw the line on what we send out?  There's quite a bit of open-source code used by Aruba products.  Do we send notifications any time one of them has a vulnerability that doesn't affect us?

 

I'm open to suggestions on this.. any feedback from the community?

---
Jon Green, ACMX, CISSP
Security Guy
MVP
Posts: 1,422
Registered: ‎10-25-2011

Re: GHOST: glibc gethostbyname buffer overflow - CVE-2015-0235

Thanks Jon. No worries just curious as I have been asked to report back to the customer whether this is a problem or not hence why I asked if a statement would go out.
Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACMP
[If you found my post helpful, please give kudos!]
Aruba Employee
Posts: 6
Registered: ‎12-27-2007

Re: GHOST: glibc gethostbyname buffer overflow - CVE-2015-0235

[ Edited ]

 Once Aruba sets a precedent it is harder to change. I am of the same mind as Jon in not reacting to issues that in fact, are non-issues for Aruba products. I deal with within Aruba's Partner community each time there is an vulnerability annouced.

 

George Anderson

Aruba Channel Enablement Engineer

New Contributor
Posts: 1
Registered: ‎01-29-2015

Re: GHOST: glibc gethostbyname buffer overflow - CVE-2015-0235

I do not agree. The Airwave platform is using a vulnerable version of GLIBC. The questions are: is that vulnerability currently exploitable and how soon will the vulnerability be patched. I would expect Aruba support to issue a statement informing the user base how exposed the current system is to an actual exploit and what is being done to update the software, even if that statement is "Airwave is not currently exploitable and an updated GLIBC will be included in a future maitenece upgrade".

Contributor I
Posts: 24
Registered: ‎06-21-2012

Re: GHOST: glibc gethostbyname buffer overflow - CVE-2015-0235

[ Edited ]

William Thompson, I agree totally.  It is the minimum that I would expect from any vendor.  I am being asked by management which systems are affected by this vulneralbility and can find no information on Aruba's website.  Cisco's website, however, has all the information I would need to find out which products are affected and what actions are being taken to address the vulnerability.  Will anyone at Aruba step up to the plate?

Search Airheads
Showing results for 
Search instead for 
Did you mean: