- 236/2022
- Critical
Aruba has released security updates for Aruba EdgeConnect Enterprise Orchestrator that address multiple critical security vulnerabilities. The remote attacker could exploit some of these vulnerabilities to take control of the affected system.
The addressed vulnerabilities could allow the remote attacker to elevate privileges to administrators without credentials and allow arbitrary command execution on the underlying host leading to complete system compromise.
Samples of the addressed vulnerabilities:
1. Authentication Bypass Leading to System Takeover in Aruba EdgeConnect Enterprise Orchestrator Web-Based Management Interface (CVE-2022-37913):
- CVSS: 9.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Bypass Security
2. Unauthenticated Remote Code Execution in Aruba EdgeConnect Enterprise Orchestrator Web-Based Management Interface (CVE-2022-37915):
- CVSS: 9.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Gain Access
Vulnerabilities
CVE-2022-37913
CVE-2022-37914
CVE-2022-37915
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-015.txt