Aruba has released security updates to address several vulnerabilities in the following products:

• AirWave Management Platform
  • 8.2.15.1 and below
• Aruba Analytics and Location Engine
  • 2.2.0.3 and below
• Aruba Central On-Premises (COP)
  • 2.5.5.4 and below
• Aruba ClearPass Policy Managerz
  • 6.11.1 and below
  • 6.10.8 and below
  • 6.9.13 and below
• Aruba Fabric Composer (AFC) and Plexxi Composable Fabric Manager (CFM)
  • 6.4.1 and below
• ArubaOS-CX Switches
  • 10.11.0001 and below
  • 10.10.1030 and below
  • 10.06.0230 and below
• ArubaOS Wi-Fi Controllers and Gateways
• ArubaOS SD-WAN Gateways
  • ArubaOS 10.3.x.x: 10.3.1.3 and below
  • ArubaOS 8.11.x.x: 8.11.0.1 and below
  • ArubaOS 8.10.x.x: 8.10.0.5 and below
  • ArubaOS 8.7.x.x: 8.7.1.11 and below
  • ArubaOS 8.6.x.x: 8.6.0.20 and below
  • ArubaOS 6.5.x.x: 6.5.4.23 and below
  • SDWAN 2.x.x.x: 8.7.0.0-2.3.0.9 and below
• Aruba InstantOS / Aruba Access Points running ArubaOS 10
  • InstantOS 6.5.4.x and 6.4.x.x-4.2.x.x are not affected
  • This product line is only affected if the web-server configuration is changed from default settings to use RSA ciphers.
  • Customers who have configured the use of RSA ciphers will be affected if running the following versions.
    • ArubaOS 10.3.x.x: 10.3.1.3 and below
    • Aruba InstantOS 8.11.x.x: 8.11.0.1 and below
    • Aruba InstantOS 8.10.x.x: 8.10.0.5 and below
    • Aruba InstantOS 8.7.x.x: 8.7.1.11 and below
    • Aruba InstantOS 8.6.x.x: 8.6.0.20 and below
• Aruba EdgeConnect Enterprise
  • ECOS 9.2.2.0 and below
  • ECOS 9.1.4.2 and below
  • ECOS 9.0.8.0 and below
  • ECOS 8.3.8.0 and below
• Aruba EdgeConnect Enterprise Orchestrator (on prem)
  • Orchestrator 9.2.2.40311 and below

Attacker could exploit these vulnerabilities and achieve the following:

• Denial of Service (DoS)
• Sensitive Information Disclosure

The CERT team encourages users to review Aruba security advisory and apply the necessary updates:

https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-001.txt