Security

 View Only
last person joined: 14 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass PHP Version - End of Life

This thread has been viewed 60 times
  • 1.  Clearpass PHP Version - End of Life

    Posted Nov 27, 2023 02:13 PM

    I've searched the forums, google, opened a TAC case and emailed our account team, and no one has been able to provide an answer our security team is accept. 

    We have an ongoing scan result that is showing Clearpass running PHP v7.x, which is tagged as EOL. TAC has confirmed the versions of PHP running in clearpass as 7.x (where x depends on the branch). The PHP website is showing PHP v7.4 going end of life in November 2022. Anyone have any information on when or if Aruba is going to release any branch of Clearpass with a supported version of PHP?

    This is an ongoing unresolved internal ticket, and I was surprised my searching didn't bring up anyone else asking about it, which makes me think I've (hopefully) missed something. 

    Thanks



  • 2.  RE: Clearpass PHP Version - End of Life

    Posted Dec 01, 2023 03:41 PM

    I just got an alert from my security team today, Dec 1, asking about the same thing.  I'll open a TAC case too.




  • 3.  RE: Clearpass PHP Version - End of Life

    Posted Dec 01, 2023 04:12 PM

    Hi

    What ClearPass are you running?

    It sound very strange if ClearPass 6.11 would have an End of Life version of PHP as this version was released this time of year in 2022.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP 2023, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACDP , ACEP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 4.  RE: Clearpass PHP Version - End of Life

    Posted Dec 01, 2023 06:18 PM

    I opened a ticket with support and they replied

    As of now, we support For Clearpass v6.10.1 having PHP v7.3.28.Clearpass v6.10.7 has PHP v7.3.33.And for Clearpass v6.11.3 found with PHP version is  7.4.33.

    Our sales engineer confirmed with this message 

    "Currently we are still using PHP version 7, which has been noted to be "end of life".  That limitation is then not impacting customers however as we have been working with extended support of the language by one of the maintainers that releases the security only fixes regularly under his own project name to provide these security fixes.  The timeline of this will be sufficient to cover existing customers and not force them to upgrade to PHP 8 in the 6.11 release.  We are otherwise in process off migrating to PHPv8, however due to the large number of incompatibilities with previous versions of the language we opted to not force customers to undergo that change with the 6.11 reinstall.  This then also provides us the chance to auto-convert some of the issues that customers would otherwise be forced to undergo themselves such that when we release PHPv8 in a future SSR version that it allows customers the opportunity to minimize their additional work."

    I understand that it's a big lift to upgrade to a new release of PHP, but it would be nice to have some sort of roadmap or projected release date for the exception to the remediation. I was hoping someone here may have heard something more than what I have. 




  • 5.  RE: Clearpass PHP Version - End of Life

    Posted Jun 18, 2024 04:52 PM

    Update 6/18/24 - CVE-2024-4577

    For those running clearpass in a windows, this is a critical vulnerability related to PHP and CGI. There is no mention I can find of this CVE in the Aruba Security Advisories. 

    The release notes for Clearpass Cumulative Patch 2 for 6.12.0, 6.12.1 (released 05/21/24) show

    It is going to suck to have to migrate to another NAC if there isn't a fix in the very near future for this. 




  • 6.  RE: Clearpass PHP Version - End of Life

    EMPLOYEE
    Posted Jun 19, 2024 12:28 PM

    The CVE you've mentioned is only applicable to PHP running within a Windows environment.  ClearPass is not running on a Windows kernel.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 7.  RE: Clearpass PHP Version - End of Life

    Posted Jun 19, 2024 12:32 PM

    Yep, sorry. Bit of a knee jerk reaction there. 




  • 8.  RE: Clearpass PHP Version - End of Life

    MVP
    Posted Jun 20, 2024 05:35 PM

    I believe even ClearPass 6.12 is running PHP 7.4. Unless HPE has bought ZendPHP for their customers, official support on that version vanished in late 2020,

    How dependable is a security server using unsupported libraries? The current PHP version is now 8.3. 8.1 is on extended support until the end of 2025.

    I have asked the above questions for my personal enlightenment. apart from my employer.



    ------------------------------
    Bruce Osborne ACCP ACMP
    Liberty University

    The views expressed here are my personal views and not those of my employer
    ------------------------------



  • 9.  RE: Clearpass PHP Version - End of Life

    EMPLOYEE
    Posted Jun 20, 2024 06:36 PM

    Please remember that the product is ClearPass, not Linux, not PHP.  HPE Aruba Networking supports the ClearPass appliance which includes the base OS and the libraries required for ClearPass to operate.  Regardless of the current support state for individual libraries in the public domain, those libraries continue to be patched with the necessary security fixes and rolled out as ClearPass support patches and hotfixes.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 10.  RE: Clearpass PHP Version - End of Life

    EMPLOYEE
    Posted 27 days ago

    Bruce ~

    For your personal enlightenment :) Yes, PHP 7 "vanished" in late 2020 officially.  We do have access to the extended support of the PHP 7 system directly from the maintainers.  They have committed to providing the security only fixes for PHP 7 for multiple years.  You can get a more official statement from TAC if needed.

    Because of a number of incompatibilities with PHP 7 and 8, we decided to not force customers to go through the potential need to update any customized code they may be running during the same time we are doing a system re-install with 6.11. While it isn't likely to impact all customers, the impact to a few customers on top of the rest of the changes was something that we didn't want to force on people in an LSR version.




  • 11.  RE: Clearpass PHP Version - End of Life

    MVP
    Posted 27 days ago

    Thank you for the update & affirmation. Is there any plan to ever update? Iht longer the delay, the greater amount of work involved in updating.

    It appeared strange to me that 6.11 was tagged as LSR from the start of the release, especially confidering all of the major changes.

    I remember back when CPPM 6.0.0 was released, combining CPPM & Guest. It was not until version 6.2.x that it was stable enough for us tom move from trusty 5.1.1.

    We are currently running 6.12 due to the face that Entra ID support was rewritten after 6.11.It is summer, but so far, things are going well.



    ------------------------------
    Bruce Osborne ACCP ACMP
    Liberty University

    The views expressed here are my personal views and not those of my employer
    ------------------------------



  • 12.  RE: Clearpass PHP Version - End of Life

    EMPLOYEE
    Posted 27 days ago

    Tell your account team to get a PLM Roadmap conversation setup and I'll answer this and any of the other questions you have around it.  Unfortunately, I can't respond about "future plans" in a public forum.