- 306/2022
- High
Aruba has released security updates to fix vulnerabilities across multiple Aruba products.
The severity of the addressed vulnerabilities could allow the remote attacker to execute code, obtain information, and bypass security controls.
Samples of the addressed vulnerabilities:
1- Privilege Escalation Aruba EdgeConnect Enterprise Orchestrator Web-based Management Interface (CVE-2022-44535):
• CVSS: 8.8
• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: Low
• User Interaction: None
• Consequences: Gain Privilege
2- Authenticated SQL Injection in Aruba EdgeConnect Enterprise Orchestrator Web-based Management Interface (CVE-2022-43519):
• CVSS: 8.8
• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: Low
• User Interaction: None
• Consequences: Gain Access
Affected Products:
• Aruba EdgeConnect Enterprise Orchestrators:
o Aruba EdgeConnect Enterprise Orchestrator (on-premises).
o Aruba EdgeConnect Enterprise Orchestrator-as-a-Service.
o Aruba EdgeConnect Enterprise Orchestrator-SP.
o Aruba EdgeConnect Enterprise Orchestrator Global.
• Enterprise Tenant Orchestrators:
o Orchestrator 9.2.1.40179 and below.
o Orchestrator 9.1.4.40436 and below.
o Orchestrator 9.0.7.40110 and below.
o Orchestrator 8.10.23.40015 and below.
o Any older branches of Orchestrator are not specifically mentioned.
It should be highlighted that versions of Aruba EdgeConnect Enterprise Orchestrator that are end-of-life are affected by these vulnerabilities unless otherwise indicated.
Vulnerabilities
- CVE-2022-43519
- CVE-2022-43520
- CVE-2022-43521
- CVE-2022-43522
- CVE-2022-43523
- CVE-2022-43524
- CVE-2022-43525
- CVE-2022-43526
- CVE-2022-43527
- CVE-2022-43528
- CVE-2022-43529
- CVE-2022-44534
- CVE-2022-44535
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.