- 56/2023
- Critical
Aruba has released security updates to fix vulnerabilities across multiple Aruba products.
The severity of the addressed vulnerabilities could allow the remote attacker to execute code, obtain information, bypass security restrictions, and perform crosssite scripting.
Sample of the addressed vulnerabilities:
Unauthenticated Command Injections in the PAPI Protocol (CVE-2023-22747):
• CVSS: 9.8
• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: None
• User Interaction: None
• Consequences: Gain Access
Affected Products:
• Aruba Mobility Conductor (formerly Mobility Master).
• Aruba Mobility Controllers.
• WLAN Gateways and SD-WAN Gateways managed by Aruba Central.
Affected Software Versions:
• ArubaOS 8.6.0.19 and below.
• ArubaOS 8.10.0.4 and below.
• ArubaOS 10.3.1.0 and below.
• SD-WAN 8.7.0.0 and below.
• SD-WAN 2.3.0.8 and below.
It should be highlighted that versions of ArubaOS (6.5.4.x – 8.7.x.x – 8.8.x.x – 8.9.x.x) and SD-WAN (8.6.0.4 – 2.2.x.x) that are End of Life are affected by these vulnerabilities and are not patched.
Vulnerabilities
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.