Aruba Networks patches management software

By

Policy manager needs fixes.

HPE company Aruba Networks has shipped patches covering 14 vulnerabilities in its ClearPath Policy Manager software.

Aruba Networks patches management software

The bugs affect patch versions 6.10.6 and below in the 6.10.x series, and 6.9.11 and below in the 6.9.x series.

Five of the vulnerabilities are in the class of authenticated SQL injection bugs in the product’s Web-based management interface.

CVE-2022-23692, CVE-2022-23693, CVE-2022-23694, CVE-2022-23695, and CVE-2022-23696 would allow an authenticated remote attacker to “obtain and modify sensitive information in the underlying database”, the advisory stated, “potentially leading to complete compromise of the ClearPass Policy Manager cluster”.

Those vulnerabilities are rated high severity and were reported to the company’s bug bounty by Luke Young, working with Daniel Jensen.

Also high severity is CVE-2022-23685, which exposes endpoints to a lack of cross-site request forgery (CSRF) protection.

A remote, unauthenticated attacker to execute input against the endpoints, “if the attacker can convince an authenticated user of the interface” to click on a crafted URL.

The ClearPass OnGuard agency for macOS is subject to CVE-2022-37877, a privilege escalation allowing users on a macOS instance to execute arbitrary code as root.
It was also the work of Luke Young and is rated high.

Daniel Jensen had a hand in a collection of six high-rated remote command injection bugs in the web management interface: CVE-2022-37878, CVE-2022-37879, CVE-2022-37880, CVE-2022-37881, CVE-2022-37882, and CVE-2022-37883.

Remote authenticated users can run commands on the underlying host as root, leading to “complete system compromise”.

He also reported a medium rated denial-of-service condition, CVE-2022-37884.

At the time of writing, no further information on the vulnerabilities had been made public.

The bugs are fixed in ClearPass Policy Manager 6.10.7 and above, and 6.9.12 and above.

The company also recommends the CLI and Web-based management interface are restricted to dedicated layer 2 segments, VLANs, or firewalls.

 

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

Services Australia's sweeping security uplift plans for myGov

Services Australia's sweeping security uplift plans for myGov

Medibank allegedly missed EDR alerts before data breach

Medibank allegedly missed EDR alerts before data breach

Northern Beaches Council reviews security stack to shore up widening perimeter

Northern Beaches Council reviews security stack to shore up widening perimeter

CrowdStrike rejects Delta Air Lines claims over outage

CrowdStrike rejects Delta Air Lines claims over outage

Log In

  |  Forgot your password?