Everyone -
I'm the security product manager at Aruba. Please note that this is not a formal communication, we will be posting a formal communication on our website according to our security policy shortly. That update will be posted here - http://www.arubanetworks.com/support-services/security-bulletins/
We are still assessing our exposure to this vulnerability, but it clearly impacts AOS 6.3.x and AOS 6.4.x. We are working on updates to these as I type this, with the intention of publishing them as soon as we can finish and complete testing.
Until then, reducing access to the web GUI via control plane ACLs makes sense. Other steps to limit exposure will be published as they are identified, and included in the security bulletin.
We are doing a careful analysis of the impact - the problem with this attack is that it gives the attacker access to some parts of the memory of the attacked system. The advice on the internet to change all private keys is based on the fear that the key could be in this segment of memory. We're validating whether or not this is the case, but you will have to decide your organization's tolerance to this particular risk.
Thanks for your understanding, and we'll keep you informed.