- 248/2022
- Critical
Aruba has released security updates to fix vulnerabilities in multiple products
related to WLAN and SD-WAN.
The severity of the addressed vulnerabilities could allow the unauthenticated remote attacker to execute arbitrary code, cause a denial of service, and obtain information.
Samples of the addressed vulnerabilities:
1- Command Injection in the PAPI protocol (CVE-2022-37897):
- CVSS: 9.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Gain Access
2- Authenticated Path Traversal in ArubaOS Command Line Interface (CVE-2022-37906):
- CVSS: 6.5
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Consequences: Obtain Information
Affected Products:-
- Aruba Mobility Conductor (formerly Mobility Master)
- Aruba Mobility Controllers
- WLAN Gateways and SD-WAN Gateways managed by Aruba Centra
Vulnerabilities
- CVE-2022-37897
- CVE-2022-37898
- CVE-2022-37899
- CVE-2022-37900
- CVE-2022-37901
- CVE-2022-37902
- CVE-2022-37903
- CVE-2022-37904
- CVE-2022-37905
- CVE-2022-37906
- CVE-2022-37907
- CVE-2022-37908
- CVE-2022-37909
- CVE-2022-37910
- CVE-2022-37911
- CVE-2022-37912
Mitigations
The enterprise should deploy this workaround until the patch is released.
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-016.txt