Security

Reply
New Contributor
Posts: 1
Registered: ‎06-05-2014

Is Aruba affected by the OpenSSL Security Advisory 05 Jun 2014

Today  OpenSSL Security Advisory [05 Jun 2014]

 

Was released and outlined specific vulnerabilities.  Is Aruba impacted?

 

Moderator
Posts: 243
Registered: ‎09-12-2007

Re: Is Aruba affected by the OpenSSL Security Advisory 05 Jun 2014

Please keep an eye on http://www.arubanetworks.com/support-services/security-bulletins/.  Given this is a popular question, we'll be posting information there as soon as it's available.

 

-Jon

---
Jon Green, ACMX, CISSP
Security Guy
Moderator
Posts: 243
Registered: ‎09-12-2007

Re: Is Aruba affected by the OpenSSL Security Advisory 05 Jun 2014

Following up on this thread - a security advisory was posted this morning at http://www.arubanetworks.com/support/alerts/aid-06062014.txt regarding this issue.

 

My commentary:  So far this does not appear to be nearly as bad as Heartbleed.  Still, it's something you'll want to read and deternine a response plan for.  If you have questions, please feel free to post them here and I'll answer as much as I'm able.

---
Jon Green, ACMX, CISSP
Security Guy
LC
New Contributor
Posts: 2
Registered: ‎09-23-2013

Re: Is Aruba affected by the OpenSSL Security Advisory 05 Jun 2014

Hi Jon, Are you able to provide any updates regarding the status of the releases for this vulnerability? Will Aruba send out a notification once the update firmwares are released?
Aruba
Posts: 1,537
Registered: ‎06-12-2012

Re: Is Aruba affected by the OpenSSL Security Advisory 05 Jun 2014

[ Edited ]

Hello all,

 
We have released a patch for OpenSSL library vulnerability , CVE-2014-0224 for ClearPass versions 6.1.0 - 6.1.4 , 6.2.6 and 6.3.3.
 
  • For ClearPass 6.1 customers, the patch can be applied on all minor versions (6.1.0, 6.1.1, 6.1.2. 6.1.3, 6.1.4).
  • For ClearPass 6.2 customers, you have to update to 6.2.6 cumulative patch and then apply this patch.  
  • For ClearPass 6.3 customers, you have to update to 6.3.3 cumulative patch and then apply this patch.
 
Please review the attached README for more information on how to install the patch for your respective ClearPass versions. In ClearPass UI, where supported the patch should be visible on the Software updates screen under the section “Firmware and Patch Updates”. It is also available on our support site (support.arubanetworks.com) at the following locations for offline install. 
  • Downloads —> ClearPass —> Policy Manager —> Archives —> 6.1.0 —> Patches.
  • Downloads —> ClearPass —> Policy Manager —> Archives —> 6.2.0 —> Patches.
  • Downloads —> ClearPass —> Policy Manager —> Current Release —> Patches.
Regards,
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Moderator
Posts: 243
Registered: ‎09-12-2007

Re: Is Aruba affected by the OpenSSL Security Advisory 05 Jun 2014

We are attempting to have all updates posted to the support site by end of day today.  ArubaOS 6.3.1.8 is already posted.  VIA 2.0.2 for Linux is in the process of being posted.  ClearPass updates are now available.  I haven't seen updates on ArubaOS 6.4.1.0 or AirWave yet but I believe they are on track for today.

 

We will update the security advisory on the website once all updates are available.

---
Jon Green, ACMX, CISSP
Security Guy
MVP
Posts: 706
Registered: ‎12-01-2010

Re: Is Aruba affected by the OpenSSL Security Advisory 05 Jun 2014

Airwave 7.7.12 is available for download, but no 8.0.1 yet

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
Guru Elite
Posts: 20,578
Registered: ‎03-29-2007

Re: Is Aruba affected by the OpenSSL Security Advisory 05 Jun 2014

According to the advisory here:  http://www.arubanetworks.com/support/alerts/aid-06062014.txt

 

 

- Note: AirWave customers running older versions are strongly encouraged to upgrade to 7.7.12. 
	  Customers who are unable to upgrade may run "yum update openssl; rd" from a root shell.  
	  This will update OpenSSL and restart all required processes.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Aruba
Posts: 1,285
Registered: ‎08-29-2007

Re: Is Aruba affected by the OpenSSL Security Advisory 05 Jun 2014

I have a customer running 6.2.1.3 and their McAffee Security Vulnerability scanner is reporting that it is vulnerable to CVE-2014-0224.

 

Nevertheless we are looking to upgrade anyway to 6.3.x.


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Moderator
Posts: 243
Registered: ‎09-12-2007

Re: Is Aruba affected by the OpenSSL Security Advisory 05 Jun 2014

The deal is that 6.2 contains a version of OpenSSL that does have the vulnerability, but it is not believed to be exploitable.  That is, it will recognize the ChangeCipherSpec message (which is what the vulnerability scanner is detecting) but the attacker won't be able to calculate the correct Finished hash.  Some discussion of the situation here:  https://www.imperialviolet.org/2014/06/05/earlyccs.html

 

This is why our security advisory indicates 6.2 "may" be vulnerable.  It's not exploitable as far as we know, but we still intend to issue patches during the next scheduled maintenance release just to be safe.


That said, upgrading to 6.3 is probably still a better plan.

---
Jon Green, ACMX, CISSP
Security Guy
Search Airheads
Showing results for 
Search instead for 
Did you mean: