- 213/2024
- High
Aruba has released security updates to fix multiple vulnerabilities affecting several HPE Aruba products.
The addressed vulnerabilities could allow the remote attacker to obtain sensitive information, perform cross-site scripting attacks, or execute arbitrary commands and gain access to the affected products.
Sample of the addressed vulnerabilities:
1. EdgeConnect SD-WAN Orchestrator Cross-Site Scripting Vulnerability (CVE-2024-41914):
- CVSS: 8.1
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: Required
- Consequences: Cross-Site Scripting
2. HPE Aruba Remote Code Execution Vulnerability (CVE-2024-22443):
- CVSS: 7.2
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Consequences: Gain Access
Sample of affected products:
- HPE Aruba Networking EdgeConnect SD-WAN Gateways.
- EdgeConnect SD-WAN Orchestrator (self-hosted, on-premises).
- EdgeConnect SD-WAN Orchestrator (self-hosted, public cloud IaaS).
- EdgeConnect SD-WAN Orchestrator-as-a-Service.
- EdgeConnect SD-WAN Orchestrator-SP Tenant Orchestrators.
- EdgeConnect SD-WAN Orchestrator Global Enterprise Tenant Orchestrators.
Vulnerabilities
- CVE-2024-41914
- CVE-2024-22444
- CVE-2024-22443
- CVE-2023-51385
- CVE-2023-48795
- CVE-2024-3596
- CVE-2024-41133
- CVE-2024-41134
- CVE-2024-41135
- CVE-2024-41136
- CVE-2024-33519
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.