Security

Reply
Highlighted
Contributor II
Posts: 53
Registered: ‎01-16-2013

Clearpass and new struts2 Vulnerability ...

Has there been any word if Clearpass is vulnerable to the new attack and if a patch is imminent ?   I'm running   6.6.4.91777, but I believe it was released before the struts2 announcement. (CVE-2017-5638)

 

 

Mike Davis
Network Engineer
University of Delaware
Guru Elite
Posts: 8,447
Registered: ‎09-08-2010

Re: Clearpass and new struts2 Vulnerability ...

Security advisories are posted here:
http://www.arubanetworks.com/support-services/security-bulletins/

Incident Response Policy: http://www.arubanetworks.com/assets/support/SecurityIncidentResponsePolicy.pdf

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 11
Registered: ‎06-15-2015

Re: Clearpass and new struts2 Vulnerability ...

I've confirmed that CPPM 6.6.3 is vulnerable to this expoit.  Using a very simple script, as an unauthenticated user I was able to dump the /etc/passwd file on the appliance.  Testing now to see what else I am able to do.

Occasional Contributor II
Posts: 11
Registered: ‎06-15-2015

Re: Clearpass and new struts2 Vulnerability ...

Clarifing my own words:   "unauthenciated" means unauthenticated to the web server.  In our scenario you still need to at least be authenticated to our guest network.

Moderator
Posts: 243
Registered: ‎09-12-2007

Re: Clearpass and new struts2 Vulnerability ...

Please seehttp://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-002.txt for details.

---
Jon Green, ACMX, CISSP
Security Guy
Guru Elite
Posts: 8,447
Registered: ‎09-08-2010

Re: Clearpass and new struts2 Vulnerability ...

The hotfixes for ClearPass 6.5.7 and 6.6.4 have been posted to the support site (Aruba Support site) and the software updates portal.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: