-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2017-003 CVE: CVE-2017-9804, CVE-2017-9793, CVE-2017-9805, CVE-2017-12611 Publication Date: 2017-Sep-11 Status: Confirmed Revision: 1 Title ===== Apache Struts Multiple Vulnerabilities Overview ======== The Apache Struts group announced Struts version 2.3.34 on September 7, 2017. Included in this update were fixes for four security vulnerabilities. Aruba ClearPass makes use of Apache Struts. This advisory provides details on Aruba's exposure to these vulnerabilities. -- CVE-2017-9804 (Affected) -- CVE-2017-9793 (NOT affected) -- CVE-2017-9805 (NOT affected) -- CVE-2017-12611 (POSSIBLY affected) Affected Products ================= -- ClearPass Policy Manager (all versions) Unaffected Products =================== -- ArubaOS -- Aruba Instant -- AirWave -- ALE -- All Aruba cloud services including Aruba Central and Meridian -- IntroSpect Details ======= ClearPass 6.6.5 through 6.6.7 contains Apache Struts version 2.3.32. Possible DoS attack when using URLValidator (CVE-2017-9804) ----------------------------------------------------------- The ClearPass Policy Manager administrative Web interface is affected by this vulnerability. ClearPass Guest, Insight, and Graphite are NOT affected. This vulnerability is only exposed to authenticated administrative users with read/write access to the system. Severity: Low CVSSv3 Overall Score: 2.7 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L DoS attack when using REST plugin (CVE-2017-9793) ------------------------------------------------- ClearPass does not use the REST plugin. Remote Code Execution when using the REST plugin (CVE-2017-9805) ---------------------------------------------------------------- ClearPass does not use the REST plugin. Remote Code Execution when using specific Freemarker tags (CVE-2017-12611) -------------------------------------------------------------------------- ClearPass MAY be affected by this vulnerability. In testing and analysis, Aruba has been unable to successfully exploit this flaw or identify a path for exploitation. Aruba will patch this vulnerability in ClearPass 6.6.8 and will update this advisory if new information becomes available. Restricting access to the Admin Web Interface as described below will limit the scope of this potential vulnerability. Resolution ========== Aruba will include a fix for CVE-2017-9804 in the next scheduled maintenance release, which is version 6.6.8. The target release date for ClearPass 6.6.8 is September 27, 2017. Workarounds =========== As a standard best practice, Aruba recommends that ClearPass administrators restrict access to the Policy Manager Admin Web Interface. This can be accomplished by navigating to Administration >> Server Manager >> Server Configuration >> >> Network >> Restrict Access and only allowing non-public or network management networks. Revision History ================ Revision 1 / 2017-Sep-11 / Initial release Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at: http://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: http://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2017 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, including all date and version information. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJZtuxiAAoJEJj+CcpFhYbZShUH/3G2x86tP6s/06BzXh6xvfT1 9g7iPmRlWVnqWGQsypFhN7GuxHDCLhy7cwguXehvkBaMxruQd+BMAMsaJ+P9sCMo 0Ay4JzExAiy7n0DPFzRVMt00KcsHLgnO4yFvaEGMXxvYTQweiQESPtKZxGUdvSsW +zp9yBOz0xlcTDGV3qil6sBJ4vBvLlou3ZOWQg/TQCGP2X4QumpYEoqo6PdyrL0e Ca6klXifkqbsuNdb75mXrh6tdkeDHZPRs1h3lDVa5xaGA1M5PUd/lFf8GEgJIIkk dPJdn+G054pLiyn83U0AP63J/jQfG6NMokmr/vUGIFXFExGw+890G6DQqxEgLgM= =Dax6 -----END PGP SIGNATURE-----