Security

last person joined: 23 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass and new struts2 Vulnerability ...

This thread has been viewed 1 times

  • 1.  Clearpass and new struts2 Vulnerability ...

    Posted Mar 10, 2017 06:31 AM

    Has there been any word if Clearpass is vulnerable to the new attack and if a patch is imminent ?   I'm running   6.6.4.91777, but I believe it was released before the struts2 announcement. (CVE-2017-5638)

     

     



  • 2.  RE: Clearpass and new struts2 Vulnerability ...

    EMPLOYEE
    Posted Mar 10, 2017 07:52 AM
    Security advisories are posted here:
    http://www.arubanetworks.com/support-services/security-bulletins/

    Incident Response Policy: http://www.arubanetworks.com/assets/support/SecurityIncidentResponsePolicy.pdf


  • 3.  RE: Clearpass and new struts2 Vulnerability ...

    Posted Mar 10, 2017 03:51 PM

    I've confirmed that CPPM 6.6.3 is vulnerable to this expoit.  Using a very simple script, as an unauthenticated user I was able to dump the /etc/passwd file on the appliance.  Testing now to see what else I am able to do.



  • 4.  RE: Clearpass and new struts2 Vulnerability ...

    Posted Mar 10, 2017 03:55 PM

    Clarifing my own words:   "unauthenciated" means unauthenticated to the web server.  In our scenario you still need to at least be authenticated to our guest network.



  • 5.  RE: Clearpass and new struts2 Vulnerability ...

    EMPLOYEE
    Posted Mar 10, 2017 07:30 PM

    Please seehttp://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-002.txt for details.



  • 6.  RE: Clearpass and new struts2 Vulnerability ...
    Best Answer

    EMPLOYEE
    Posted Mar 14, 2017 08:29 PM
    The hotfixes for ClearPass 6.5.7 and 6.6.4 have been posted to the support site (Aruba Support site) and the software updates portal.