SB2017101114 - Multiple vulnerabilities in Aruba Network ArubaOS
Published: October 11, 2017 Updated: October 26, 2017
Security Bulletin ID
SB2017101114
Severity
Low
Patch available
YES
Number of vulnerabilities
3
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Information disclosure (CVE-ID: CVE-2017-9000)
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.The weakness exists due to improper access control. A remote attacker with network access to an Aruba mobility controller on TCP port 8080 or 8081 can access files which could contain passwords, keys, and other sensitive information.
2) Memory corruption (CVE-ID: CVE-2017-9003)
The vulnerability allows a remote attacker to cause DoS condition or possibly execute arbitrary code on the target system.The weakness exists due to boundary error. A remote attacker can supply a specially crafted input, trigger multiple memory corruptions, cause ArubaOS processes to crash and possibly execute arbitrary code.
3) SQL injection (CVE-ID: N/A)
The vulnerability allows a remote administrative attacker to execute SQL commands on the target system.The weakness exists due to improper validation of user-supplied input. A remote attacker with access to the management interface can supply a specially crafted parameter value and execute SQL commands to read or write arbitrary data.
Remediation
Install update from vendor's website.