Skimming through the PoCs and writeups for the latest Apache Struts security screw up it's pretty obvious Apache Struts is going to be a constant source of security advisories against ClearPass.
So the timeline so far from my point of view:
August 22nd: Struts vulnerability announcement
August 22nd/23rd: Proof of concept code widely available on github, detailed writeups follow a day or two later
August 24th 10pm Eastern (Friday night):
First advisory released:
- Fix would require 6.7.6 (when avaiable)
- No mention of research needed so assumed vulnerability is known
August 27th (Monday):
Internally: Oh @!#!, they are bundling it as a major patch instead of seperately. It's the first week of class. How are we going to get this tested and deployed before everyone disappears for labor day? Hitting reload every couple of hours on the ClearPass updates page begins.
New version of advisory, still mentions 6.7.6, now it's vague as to if a patch will actually come out - More information promised on the 28th
August 29th (Wednesday):
New version of advisory, there will now be a hotfix so no version upgrade required (Thank God!). Still vague on if actual vulnerability and no actual info update on this.
So...
How long is acceptible to wait for a patch for a system that is the cornerstone of your network's security? At what point do you give up on "research" and just assume it's the case and patch the **bleep** thing? Is ClearPass code too horrible to allow for updating of an upstream resource?
How is Aruba addressing this lag in response times when this WILL keep happening over and over again with Struts?
Why are TIPS, Insight, and Graphite sharing the same HTTP server instance/TCP port as the end user accessible self service functionality? It makes it impossible to properly firewall off admin resources from end user devices. If I can't trust web service authentication to protect the web service why would I trust ClearPass's internal IP filter to save me? It has to accept a HTTP request and parse it before it can even make that judgement. That is unneeded exposure.
Thanks.