well the advisory states that, this is only relevant "if the web-server configuration is changed from default settings to use RSA ciphers."
so if you have not change the default setting , then your product will not be affected. (this is my understanding)
------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
------------------------------
Original Message:
Sent: Mar 22, 2023 07:52 PM
From: MrWatson
Subject: IAPs and advisory ARUBA-PSA-2023-001
Hi. Security advisory "ARUBA-PSA-2023-001 :: Multiple Vulnerabilities in OpenSSL (Rev-3)" states that the following are affected:
- Aruba InstantOS / Aruba Access Points running ArubaOS 10
- InstantOS 6.5.4.x and 6.4.x.x-4.2.x.x are not affected
- This product line is only affected if the web-server
configuration is changed from default settings to use RSA
ciphers.
- Customers who have configured the use of RSA ciphers will
be affected if running the following versions.
- ArubaOS 10.4.x.x: 10.4.0.0 and below
- ArubaOS 10.3.x.x: 10.3.1.4 and below
- Aruba InstantOS 8.11.x.x: 8.11.0.1 and below
- Aruba InstantOS 8.10.x.x: 8.10.0.6 and below
- Aruba InstantOS 8.7.x.x: 8.7.1.11 and below
- Aruba InstantOS 8.6.x.x: 8.6.0.20 and below
We are running IAPs mostly on version 8.7.10 and I believe we haven't changed any web server configuration. When I look at the certs on the IAP admin webpage they are the default "setmeup.arubanetworks.com" certs and they say they are using RSA encryption, I'm guessing this is just for the cert and doesn't apply to the communication, but when I connected in my web browser it said "The connection to this site is encrypted and authenticated using TLS 1.2, ECDHE_RSA with P-256, and AES_128_GCM."
Is it possible that our IAPs could be affected by the vulnerability?
Thanks