Aruba Networks patches management software

By on
Aruba Networks patches management software

Policy manager needs fixes.

HPE company Aruba Networks has shipped patches covering 14 vulnerabilities in its ClearPath Policy Manager software.

The bugs affect patch versions 6.10.6 and below in the 6.10.x series, and 6.9.11 and below in the 6.9.x series.

Five of the vulnerabilities are in the class of authenticated SQL injection bugs in the product’s Web-based management interface.

CVE-2022-23692, CVE-2022-23693, CVE-2022-23694, CVE-2022-23695, and CVE-2022-23696 would allow an authenticated remote attacker to “obtain and modify sensitive information in the underlying database”, the advisory stated, “potentially leading to complete compromise of the ClearPass Policy Manager cluster”.

Those vulnerabilities are rated high severity and were reported to the company’s bug bounty by Luke Young, working with Daniel Jensen.

Also high severity is CVE-2022-23685, which exposes endpoints to a lack of cross-site request forgery (CSRF) protection.

A remote, unauthenticated attacker to execute input against the endpoints, “if the attacker can convince an authenticated user of the interface” to click on a crafted URL.

The ClearPass OnGuard agency for macOS is subject to CVE-2022-37877, a privilege escalation allowing users on a macOS instance to execute arbitrary code as root.
It was also the work of Luke Young and is rated high.

Daniel Jensen had a hand in a collection of six high-rated remote command injection bugs in the web management interface: CVE-2022-37878, CVE-2022-37879, CVE-2022-37880, CVE-2022-37881, CVE-2022-37882, and CVE-2022-37883.

Remote authenticated users can run commands on the underlying host as root, leading to “complete system compromise”.

He also reported a medium rated denial-of-service condition, CVE-2022-37884.

At the time of writing, no further information on the vulnerabilities had been made public.

The bugs are fixed in ClearPass Policy Manager 6.10.7 and above, and 6.9.12 and above.

The company also recommends the CLI and Web-based management interface are restricted to dedicated layer 2 segments, VLANs, or firewalls.

 

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
aruba networkshpesecurityvulnerability

Sponsored Whitepapers

Responding To Industry Trends And Our 5m+ Users
Responding To Industry Trends And Our 5m+ Users
The Future of Digital Identity in Government
The Future of Digital Identity in Government
Secure Public Services for Every Australian
Secure Public Services for Every Australian
7½ Questions for Aged Care's Digital Decisions
7½ Questions for Aged Care's Digital Decisions
Creating the Sustainable IT Department
Creating the Sustainable IT Department

Most Read Articles

Australia appoints first cyber security coordinator

Australia appoints first cyber security coordinator
Apple rushes out patches for exploited zero day bugs

Apple rushes out patches for exploited zero day bugs
Perpetual 'extended outage' caused by security incident at third-party

Perpetual 'extended outage' caused by security incident at third-party
Exploit emerges for Cisco VPN client vulnerability

Exploit emerges for Cisco VPN client vulnerability

Digital Nation

DeepAI founder on the risks of artificial intelligence
DeepAI founder on the risks of artificial intelligence
Health tech startup Kismet raises $4m in pre-seed funding
Health tech startup Kismet raises $4m in pre-seed funding
How eBay uses interaction analytics to improve CX
How eBay uses interaction analytics to improve CX
More than half of loyalty members concerned about their data
More than half of loyalty members concerned about their data
COVER STORY: The opportunities and risks of cybersecurity insurance in Australia
COVER STORY: The opportunities and risks of cybersecurity insurance in Australia

Log In

  |  Forgot your password?