Security

I've searched the forums, google, opened a TAC case and emailed our account team, and no one has been able to provide an answer our security team is accept. 

We have an ongoing scan result that is showing Clearpass running PHP v7.x, which is tagged as EOL. TAC has confirmed the versions of PHP running in clearpass as 7.x (where x depends on the branch). The PHP website is showing PHP v7.4 going end of life in November 2022. Anyone have any information on when or if Aruba is going to release any branch of Clearpass with a supported version of PHP?

This is an ongoing unresolved internal ticket, and I was surprised my searching didn't bring up anyone else asking about it, which makes me think I've (hopefully) missed something. 

Thanks

I just got an alert from my security team today, Dec 1, asking about the same thing.  I'll open a TAC case too.

I've searched the forums, google, opened a TAC case and emailed our account team, and no one has been able to provide an answer our security team is accept. 

We have an ongoing scan result that is showing Clearpass running PHP v7.x, which is tagged as EOL. TAC has confirmed the versions of PHP running in clearpass as 7.x (where x depends on the branch). The PHP website is showing PHP v7.4 going end of life in November 2022. Anyone have any information on when or if Aruba is going to release any branch of Clearpass with a supported version of PHP?

This is an ongoing unresolved internal ticket, and I was surprised my searching didn't bring up anyone else asking about it, which makes me think I've (hopefully) missed something. 

Thanks

Hi

What ClearPass are you running?

It sound very strange if ClearPass 6.11 would have an End of Life version of PHP as this version was released this time of year in 2022.

I just got an alert from my security team today, Dec 1, asking about the same thing.  I'll open a TAC case too.

I've searched the forums, google, opened a TAC case and emailed our account team, and no one has been able to provide an answer our security team is accept. 

We have an ongoing scan result that is showing Clearpass running PHP v7.x, which is tagged as EOL. TAC has confirmed the versions of PHP running in clearpass as 7.x (where x depends on the branch). The PHP website is showing PHP v7.4 going end of life in November 2022. Anyone have any information on when or if Aruba is going to release any branch of Clearpass with a supported version of PHP?

This is an ongoing unresolved internal ticket, and I was surprised my searching didn't bring up anyone else asking about it, which makes me think I've (hopefully) missed something. 

Thanks

I've searched the forums, google, opened a TAC case and emailed our account team, and no one has been able to provide an answer our security team is accept. 

We have an ongoing scan result that is showing Clearpass running PHP v7.x, which is tagged as EOL. TAC has confirmed the versions of PHP running in clearpass as 7.x (where x depends on the branch). The PHP website is showing PHP v7.4 going end of life in November 2022. Anyone have any information on when or if Aruba is going to release any branch of Clearpass with a supported version of PHP?

This is an ongoing unresolved internal ticket, and I was surprised my searching didn't bring up anyone else asking about it, which makes me think I've (hopefully) missed something. 

Thanks

Update 6/18/24 - CVE-2024-4577

For those running clearpass in a windows, this is a critical vulnerability related to PHP and CGI. There is no mention I can find of this CVE in the Aruba Security Advisories. 

The release notes for Clearpass Cumulative Patch 2 for 6.12.0, 6.12.1 (released 05/21/24) show

It is going to suck to have to migrate to another NAC if there isn't a fix in the very near future for this. 

I've searched the forums, google, opened a TAC case and emailed our account team, and no one has been able to provide an answer our security team is accept. 

We have an ongoing scan result that is showing Clearpass running PHP v7.x, which is tagged as EOL. TAC has confirmed the versions of PHP running in clearpass as 7.x (where x depends on the branch). The PHP website is showing PHP v7.4 going end of life in November 2022. Anyone have any information on when or if Aruba is going to release any branch of Clearpass with a supported version of PHP?

This is an ongoing unresolved internal ticket, and I was surprised my searching didn't bring up anyone else asking about it, which makes me think I've (hopefully) missed something. 

Thanks

The CVE you've mentioned is only applicable to PHP running within a Windows environment.  ClearPass is not running on a Windows kernel.

Update 6/18/24 - CVE-2024-4577

For those running clearpass in a windows, this is a critical vulnerability related to PHP and CGI. There is no mention I can find of this CVE in the Aruba Security Advisories. 

The release notes for Clearpass Cumulative Patch 2 for 6.12.0, 6.12.1 (released 05/21/24) show

It is going to suck to have to migrate to another NAC if there isn't a fix in the very near future for this. 

I've searched the forums, google, opened a TAC case and emailed our account team, and no one has been able to provide an answer our security team is accept. 

We have an ongoing scan result that is showing Clearpass running PHP v7.x, which is tagged as EOL. TAC has confirmed the versions of PHP running in clearpass as 7.x (where x depends on the branch). The PHP website is showing PHP v7.4 going end of life in November 2022. Anyone have any information on when or if Aruba is going to release any branch of Clearpass with a supported version of PHP?

This is an ongoing unresolved internal ticket, and I was surprised my searching didn't bring up anyone else asking about it, which makes me think I've (hopefully) missed something. 

Thanks

I've searched the forums, google, opened a TAC case and emailed our account team, and no one has been able to provide an answer our security team is accept. 

We have an ongoing scan result that is showing Clearpass running PHP v7.x, which is tagged as EOL. TAC has confirmed the versions of PHP running in clearpass as 7.x (where x depends on the branch). The PHP website is showing PHP v7.4 going end of life in November 2022. Anyone have any information on when or if Aruba is going to release any branch of Clearpass with a supported version of PHP?

This is an ongoing unresolved internal ticket, and I was surprised my searching didn't bring up anyone else asking about it, which makes me think I've (hopefully) missed something. 

Thanks

I believe even ClearPass 6.12 is running PHP 7.4. Unless HPE has bought ZendPHP for their customers, official support on that version vanished in late 2020,

How dependable is a security server using unsupported libraries? The current PHP version is now 8.3. 8.1 is on extended support until the end of 2025.

I have asked the above questions for my personal enlightenment. apart from my employer.

I've searched the forums, google, opened a TAC case and emailed our account team, and no one has been able to provide an answer our security team is accept. 

We have an ongoing scan result that is showing Clearpass running PHP v7.x, which is tagged as EOL. TAC has confirmed the versions of PHP running in clearpass as 7.x (where x depends on the branch). The PHP website is showing PHP v7.4 going end of life in November 2022. Anyone have any information on when or if Aruba is going to release any branch of Clearpass with a supported version of PHP?

This is an ongoing unresolved internal ticket, and I was surprised my searching didn't bring up anyone else asking about it, which makes me think I've (hopefully) missed something. 

Thanks

I believe even ClearPass 6.12 is running PHP 7.4. Unless HPE has bought ZendPHP for their customers, official support on that version vanished in late 2020,

How dependable is a security server using unsupported libraries? The current PHP version is now 8.3. 8.1 is on extended support until the end of 2025.

I have asked the above questions for my personal enlightenment. apart from my employer.

I've searched the forums, google, opened a TAC case and emailed our account team, and no one has been able to provide an answer our security team is accept. 

We have an ongoing scan result that is showing Clearpass running PHP v7.x, which is tagged as EOL. TAC has confirmed the versions of PHP running in clearpass as 7.x (where x depends on the branch). The PHP website is showing PHP v7.4 going end of life in November 2022. Anyone have any information on when or if Aruba is going to release any branch of Clearpass with a supported version of PHP?

This is an ongoing unresolved internal ticket, and I was surprised my searching didn't bring up anyone else asking about it, which makes me think I've (hopefully) missed something. 

Thanks

Bruce ~

For your personal enlightenment :) Yes, PHP 7 "vanished" in late 2020 officially.  We do have access to the extended support of the PHP 7 system directly from the maintainers.  They have committed to providing the security only fixes for PHP 7 for multiple years.  You can get a more official statement from TAC if needed.

Because of a number of incompatibilities with PHP 7 and 8, we decided to not force customers to go through the potential need to update any customized code they may be running during the same time we are doing a system re-install with 6.11. While it isn't likely to impact all customers, the impact to a few customers on top of the rest of the changes was something that we didn't want to force on people in an LSR version.

I believe even ClearPass 6.12 is running PHP 7.4. Unless HPE has bought ZendPHP for their customers, official support on that version vanished in late 2020,

How dependable is a security server using unsupported libraries? The current PHP version is now 8.3. 8.1 is on extended support until the end of 2025.

I have asked the above questions for my personal enlightenment. apart from my employer.

I've searched the forums, google, opened a TAC case and emailed our account team, and no one has been able to provide an answer our security team is accept. 

We have an ongoing scan result that is showing Clearpass running PHP v7.x, which is tagged as EOL. TAC has confirmed the versions of PHP running in clearpass as 7.x (where x depends on the branch). The PHP website is showing PHP v7.4 going end of life in November 2022. Anyone have any information on when or if Aruba is going to release any branch of Clearpass with a supported version of PHP?

This is an ongoing unresolved internal ticket, and I was surprised my searching didn't bring up anyone else asking about it, which makes me think I've (hopefully) missed something. 

Thanks

Thank you for the update & affirmation. Is there any plan to ever update? Iht longer the delay, the greater amount of work involved in updating.

It appeared strange to me that 6.11 was tagged as LSR from the start of the release, especially confidering all of the major changes.

I remember back when CPPM 6.0.0 was released, combining CPPM & Guest. It was not until version 6.2.x that it was stable enough for us tom move from trusty 5.1.1.

We are currently running 6.12 due to the face that Entra ID support was rewritten after 6.11.It is summer, but so far, things are going well.

Bruce ~

For your personal enlightenment :) Yes, PHP 7 "vanished" in late 2020 officially.  We do have access to the extended support of the PHP 7 system directly from the maintainers.  They have committed to providing the security only fixes for PHP 7 for multiple years.  You can get a more official statement from TAC if needed.

Because of a number of incompatibilities with PHP 7 and 8, we decided to not force customers to go through the potential need to update any customized code they may be running during the same time we are doing a system re-install with 6.11. While it isn't likely to impact all customers, the impact to a few customers on top of the rest of the changes was something that we didn't want to force on people in an LSR version.

I believe even ClearPass 6.12 is running PHP 7.4. Unless HPE has bought ZendPHP for their customers, official support on that version vanished in late 2020,

How dependable is a security server using unsupported libraries? The current PHP version is now 8.3. 8.1 is on extended support until the end of 2025.

I have asked the above questions for my personal enlightenment. apart from my employer.

I've searched the forums, google, opened a TAC case and emailed our account team, and no one has been able to provide an answer our security team is accept. 

We have an ongoing scan result that is showing Clearpass running PHP v7.x, which is tagged as EOL. TAC has confirmed the versions of PHP running in clearpass as 7.x (where x depends on the branch). The PHP website is showing PHP v7.4 going end of life in November 2022. Anyone have any information on when or if Aruba is going to release any branch of Clearpass with a supported version of PHP?

This is an ongoing unresolved internal ticket, and I was surprised my searching didn't bring up anyone else asking about it, which makes me think I've (hopefully) missed something. 

Thanks