Multiple vulnerabilities in Aruba Network ArubaOS

Published: 2017-10-11 12:08:56 | Updated: 2017-10-26
Severity Low
Patch available YES
Number of vulnerabilities 3
CVE ID CVE-2017-9000
CVE-2017-9003
CVSSv3 6.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
7.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C]
3.9 [CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CWE ID CWE-284
CWE-119
CWE-89
Exploitation vector Network
Public exploit N/A
Vulnerable software ArubaOS
Vulnerable software versions ArubaOS 6.4.4.15
ArubaOS 6.4.4.14
ArubaOS 6.4.4.13

Show more

Vendor URL Aruba Networks

Security Advisory

1) Information disclosure

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists due to improper access control. A remote attacker with network access to an Aruba mobility controller on TCP port 8080 or 8081 can access files which could contain passwords, keys, and other sensitive information.

Remediation

The vulnerability is addressed in the following versions: 6.3.1.25, 6.4.4.16, 6.5.1.9, 6.5.3.3, 6.5.4.2, 8.1.0.4.

External links

http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-006.txt

2) Memory corruption

Description

The vulnerability allows a remote attacker to cause DoS condition or possibly execute arbitrary code on the target system.

The weakness exists due to boundary error. A remote attacker can supply a specially crafted input, trigger multiple memory corruptions, cause ArubaOS processes to crash and possibly execute arbitrary code.

Remediation

The vulnerability is addressed in the following versions: 6.3.1.25, 6.4.4.16, 6.5.1.9, 6.5.3.3, 6.5.4.2, 8.1.0.4.

External links

http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-006.txt

3) SQL injection

Description

The vulnerability allows a remote administrative attacker to execute SQL commands on the target system.

The weakness exists due to improper validation of user-supplied input. A remote attacker with access to the management interface can supply a specially crafted parameter value and execute SQL commands to read or write arbitrary data.

Remediation

The vulnerability is addressed in the following versions: 6.3.1.25, 6.4.4.16, 6.5.1.9, 6.5.3.3, 6.5.4.2, 8.1.0.4.

External links

http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-006.txt

Back to List