Security

last person joined: 17 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Is Aruba affected by the OpenSSL Security Advisory 05 Jun 2014

This thread has been viewed 0 times

  • 1.  Is Aruba affected by the OpenSSL Security Advisory 05 Jun 2014

    Posted Jun 05, 2014 10:31 PM

    Today  OpenSSL Security Advisory [05 Jun 2014]

     

    Was released and outlined specific vulnerabilities.  Is Aruba impacted?

     



  • 2.  RE: Is Aruba affected by the OpenSSL Security Advisory 05 Jun 2014

    EMPLOYEE
    Posted Jun 06, 2014 01:17 AM

    Please keep an eye on http://www.arubanetworks.com/support-services/security-bulletins/.  Given this is a popular question, we'll be posting information there as soon as it's available.

     

    -Jon



  • 3.  RE: Is Aruba affected by the OpenSSL Security Advisory 05 Jun 2014

    EMPLOYEE
    Posted Jun 07, 2014 12:20 AM

    Following up on this thread - a security advisory was posted this morning at http://www.arubanetworks.com/support/alerts/aid-06062014.txt regarding this issue.

     

    My commentary:  So far this does not appear to be nearly as bad as Heartbleed.  Still, it's something you'll want to read and deternine a response plan for.  If you have questions, please feel free to post them here and I'll answer as much as I'm able.



  • 4.  RE: Is Aruba affected by the OpenSSL Security Advisory 05 Jun 2014

    Posted Jun 13, 2014 11:28 AM
    Hi Jon, Are you able to provide any updates regarding the status of the releases for this vulnerability? Will Aruba send out a notification once the update firmwares are released?


  • 5.  RE: Is Aruba affected by the OpenSSL Security Advisory 05 Jun 2014

    EMPLOYEE
    Posted Jun 13, 2014 04:41 PM
      |   view attached

    Hello all,

     
    We have released a patch for OpenSSL library vulnerability , CVE-2014-0224 for ClearPass versions 6.1.0 - 6.1.4 , 6.2.6 and 6.3.3.
     
    • For ClearPass 6.1 customers, the patch can be applied on all minor versions (6.1.0, 6.1.1, 6.1.2. 6.1.3, 6.1.4).
    • For ClearPass 6.2 customers, you have to update to 6.2.6 cumulative patch and then apply this patch.  
    • For ClearPass 6.3 customers, you have to update to 6.3.3 cumulative patch and then apply this patch.
     
    Please review the attached README for more information on how to install the patch for your respective ClearPass versions. In ClearPass UI, where supported the patch should be visible on the Software updates screen under the section “Firmware and Patch Updates”. It is also available on our support site (support.arubanetworks.com) at the following locations for offline install. 
    • Downloads —> ClearPass —> Policy Manager —> Archives —> 6.1.0 —> Patches.
    • Downloads —> ClearPass —> Policy Manager —> Archives —> 6.2.0 —> Patches.
    • Downloads —> ClearPass —> Policy Manager —> Current Release —> Patches.
    Regards,


  • 6.  RE: Is Aruba affected by the OpenSSL Security Advisory 05 Jun 2014

    EMPLOYEE
    Posted Jun 13, 2014 04:46 PM

    We are attempting to have all updates posted to the support site by end of day today.  ArubaOS 6.3.1.8 is already posted.  VIA 2.0.2 for Linux is in the process of being posted.  ClearPass updates are now available.  I haven't seen updates on ArubaOS 6.4.1.0 or AirWave yet but I believe they are on track for today.

     

    We will update the security advisory on the website once all updates are available.



  • 7.  RE: Is Aruba affected by the OpenSSL Security Advisory 05 Jun 2014

    Posted Jun 13, 2014 06:13 PM

    Airwave 7.7.12 is available for download, but no 8.0.1 yet



  • 8.  RE: Is Aruba affected by the OpenSSL Security Advisory 05 Jun 2014

    EMPLOYEE
    Posted Jun 13, 2014 09:53 PM

    According to the advisory here:  http://www.arubanetworks.com/support/alerts/aid-06062014.txt

     

     

    - Note: AirWave customers running older versions are strongly encouraged to upgrade to 7.7.12. 
	  Customers who are unable to upgrade may run "yum update openssl; rd" from a root shell.  
	  This will update OpenSSL and restart all required processes.

     



  • 9.  RE: Is Aruba affected by the OpenSSL Security Advisory 05 Jun 2014

    EMPLOYEE
    Posted Sep 05, 2014 03:34 AM

    I have a customer running 6.2.1.3 and their McAffee Security Vulnerability scanner is reporting that it is vulnerable to CVE-2014-0224.

     

    Nevertheless we are looking to upgrade anyway to 6.3.x.



  • 10.  RE: Is Aruba affected by the OpenSSL Security Advisory 05 Jun 2014

    EMPLOYEE
    Posted Sep 05, 2014 09:54 AM

    The deal is that 6.2 contains a version of OpenSSL that does have the vulnerability, but it is not believed to be exploitable.  That is, it will recognize the ChangeCipherSpec message (which is what the vulnerability scanner is detecting) but the attacker won't be able to calculate the correct Finished hash.  Some discussion of the situation here:  https://www.imperialviolet.org/2014/06/05/earlyccs.html

     

    This is why our security advisory indicates 6.2 "may" be vulnerable.  It's not exploitable as far as we know, but we still intend to issue patches during the next scheduled maintenance release just to be safe.


    That said, upgrading to 6.3 is probably still a better plan.