- 155/2023
- High
Aruba has released security updates to fix several vulnerabilities in multiple versions of Aruba Networks ArubaOS.
The addressed vulnerabilities could allow the attacker to execute arbitrary commands, directory traversal, obtain sensitive information, cause a cross-site scripting attack, or gain access to the affected software versions.
Sample of the addressed vulnerabilities:
1. Aruba Networks ArubaOS Cross-Site Scripting (CVE-2023-35971):
- CVSS: 8.8
- Attack Vector: Adjacent Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Consequences: Cross-Site Scripting
2. Aruba Networks ArubaOS Command Execution (CVE-2023-35972):
- CVSS: 7.2
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Consequences: Gain Access
Affected products:
- Mobility Conductor (formerly Mobility Master) and Controllers.
- WLAN Gateways and SD-WAN Gateways managed by Aruba Central.
- ArubaOS 10.4.x.x: 10.4.0.1 and below.
- ArubaOS 8.11.x.x: 8.11.1.0 and below.
- ArubaOS 8.10.x.x: 8.10.0.6 and below.
- ArubaOS 8.6.x.x: 8.6.0.20 and below.
Vulnerabilities
- CVE-2023-35971
- CVE-2023-35972
- CVE-2023-35973
- CVE-2023-35974
- CVE-2023-35975
- CVE-2023-35976
- CVE-2023-35977
- CVE-2023-35978
- CVE-2023-35979
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.