Security

Hello all,

ClearPass fixes for Struts security vulnerabilities are now available for versions 6.1.4, 6.2.6 and 6.3.0/6.3.1  The security vulnerabilities addressed in the patches are CVE-2014-0094, CVE-2014-0050, CVE-2014-0112, CVE-2014-0113.  Please review the attached README document for more information. 

Individual patches are available for ClearPass 6.1.4 and 6.2.6. For versions 6.3.1, the fixes are part of the latest cumulative update 6.3.2. There is no separate security patch available for these versions. Users should install the cumulative update 6.3.2 to obtain these fixes. 

For ClearPass 6.1.4 and 6.2.6 please review the README for prerequisites before installing the patch. Customers can install the patches from the Software Updates screen in ClearPass UI. The patches are also available for offline download and install from our support site (support.arubanetworks.com) at the following locations. 

• ClearPass 6.1.4 :  Downloads > ClearPass > Policy Manager > Archives > 6.1.0 > Patches > ClearPass 6.1.4 Struts security vulnerability
• ClearPass 6.2.6 :  Downloads > ClearPass > Policy Manager > Archives > 6.2.0 > Patches > ClearPass 6.2.6 Struts security vulnerability
• ClearPass 6.3.0/6.3.1 : Downloads > ClearPass > Policy Manager > Current Release > 6.3.0 > Patches > ClearPass 6.3.2 Cumulative Update

Attachment(s)

ClearPass_6.2.6_6.1.4_Vulnerability_Issue_Patch_README.pdf   120 KB 1 version

Highly recommend you change all your passwords after you apply the patch, especially if your CPPM is internet facing.  Potiental for unauthenticated users getting all your CPPM password from etc/password file due this exploit.

Aruba Partner Network Consultant

**Aruba Wireless ACMP / ClearPass ACCP / CCNP Professional **
If a reply addresses your issue, please click on the "Accept as Solution" and "Give Kudos"

These vulnerabilities were patched almost 3 years ago.