Aruba Networks Issues Security Advisory for Six Critical Flaws in ArubaOS

Unlock Best Pricing with In-stock, Ready-to-Ship Products

Aruba Networks, a subsidiary of Hewlett Packard Enterprise, has recently released a security advisory to inform its customers about six critical-severity vulnerabilities impacting multiple versions of ArubaOS, its proprietary network operating system. The affected devices include Aruba Mobility Conductor, Aruba Mobility Controllers, and Aruba-managed WLAN Gateways and SD-WAN Gateways.

The critical flaws addressed by Aruba Networks can be separated into two categories: command injection flaws and stack-based buffer overflow problems in the PAPI protocol. The command injection vulnerabilities are tracked as CVE-2023-22747, CVE-2023-22748, CVE-2023-22749, and CVE-2023-22750, with a CVSS v3 rating of 9.8 out of 10.0. An unauthenticated, remote attacker can leverage them by sending specially crafted packets to the PAPI over UDP port 8211, resulting in arbitrary code execution as a privileged user on ArubaOS.

The stack-based buffer overflow bugs are tracked as CVE-2023-22751 and CVE-2023-22752 and also have a CVSS v3 rating of 9.8. These flaws are exploitable by sending specially crafted packets to the PAPI over UDP port 8211, allowing unauthenticated, remote attackers to run arbitrary code as privileged users on ArubaOS.

The impact of these vulnerabilities is significant, as ArubaOS is a popular network operating system used by many enterprises. The affected versions are ArubaOS 8.6.0.19 and below, ArubaOS 8.10.0.4 and below, ArubaOS 10.3.1.0 and below, and SD-WAN 8.7.0.0-2.3.0.8 and below.

Aruba has advised users to upgrade to the target upgrade versions to mitigate the vulnerabilities. The target versions for the different systems are as follows:

ArubaOS 8.10.0.5 and above
ArubaOS 8.11.0.0 and above
ArubaOS 10.3.1.1 and above
SD-WAN 8.7.0.0-2.3.0.9 and above

However, it is important to note that several product versions that have reached End of Life (EoL) are also affected by these vulnerabilities and will not receive a fixing update. These include ArubaOS 6.5.4.x, ArubaOS 8.7.x.x, ArubaOS 8.8.x.x, ArubaOS 8.9.x.x, and SD-WAN 8.6.0.4-2.2.x.x. System administrators who cannot apply the security updates or are using EoL devices can enable the “Enhanced PAPI Security” mode using a non-default key as a workaround.

It is also worth noting that applying the mitigations does not address another 15 high-severity and eight medium-severity vulnerabilities listed in Aruba’s security advisory, which are fixed by the new versions.

Aruba has stated that it is unaware of any public discussion, exploit code, or active exploitation of these vulnerabilities as of the release date of the advisory, February 28, 2022. However, given the severity of the vulnerabilities, it is important for enterprises to take prompt action to upgrade their systems or implement the recommended mitigations to avoid potential attacks that could lead to data breaches and other security incidents.

Despite the recent security advisory, Aruba Networks remains a leading provider of cutting-edge networking products and services that are designed to meet the unique needs of today’s businesses. Let’s explore some of their key products with ArubaOS.

HPE JZ320A – Aruba AP303 Access Point

JZ320A is the Aruba AP-303 (RW) Dual 2×2:2 MU-MIMO Radio Internal Antennas Unified Campus AP. The affordable mid-range Aruba 303 Series campus access point delivers high performance 802.11ac with MU-MIMO (Wave 2) for medium density enterprise environments. With the integrated BLE and supporting 802.3af power, the Aruba 303 Series AP enables enterprises to improve their work efficiency and productivity with the lowest TCO.

JZ320A Specification
Product Name Aruba AP-303 (RW) Dual 2×2:2 MU-MIMO Radio Internal Antennas Unified Campus AP
Manufacturer Part Number JZ320A
Product Series 303
Product Model AP-303
Product Type Wireless Access Point

Technical Information

Wireless LAN Standard IEEE 802.11ac
Frequency Band 5 GHz

2.40 GHz

Total Number of Antennas 2
Number of Internal Antennas 2
Wireless Transmission Speed 1.20 Gbit/s
MIMO Technology Yes
Beamforming Technology Yes

Interfaces/Ports

Ethernet Technology Gigabit Ethernet
Number of Network (RJ-45) Ports 1
PoE PD Port Yes
VGA No
HDMI No
USB Yes
Powerline No
Management Port Yes

Physical Characteristics

Form Factor Ceiling Mountable

Wall Mountable

Height 1.4″
Width 5.9″
Depth 5.9″

Warranty

Limited Warranty Lifetime

Miscellaneous

Environmentally Friendly Yes
Environmental Certification cTUVus
HPE Q9H57A – Aruba AP514 Access Point

The 510 series uses 802.11ax features to efficiently and simultaneously serve multiple clients and traffic types in dense environments, increasing data rates for both individual device and overall system.

Q9H57A Specification
Ports (1) HPE SmartRate RJ-45 port (maximum negotiated speed 2.5Gbps), (1) 10/100/1000BASE-T Ethernet
Mounting Pre-installed mounting bracket, for use with optional mounting kit
Input voltage PoE/PoE+ or direct DC power (via optional power supply)
Power Consumption POE powered (802.3at): 19W (802.3at PoE), 13.5W (802.3af PoE), 17 W (DC power supply)
Wi-Fi antenna Four RP-SMA connectors for external dual-band antennas.
Radio coverage Dual-radio IEEE 802.11ax access point with OFDMA and Multi-User MIMO (MU-MIMO). Supports up to 4.8 Gbps in the 5GHz band (with 4SS/HE160 clients) and up to 575 Mbps in the 2.4GHz band (with 2SS/ HE40 clients).
Product Dimensions (imperial) 1.8 x 7.9 x 7.9 in
JW743A – HPE Aruba 7200 Series Controllers

JW743A specification
Device Type Network management device
Form Factor Rack-mountable – 1U
Data Link Protocol Ethernet, Fast Ethernet, Gigabit Ethernet, 10 Gigabit Ethernet
Performance Firewall throughput: 20 Gbps
Capacity Maximum number of access points: 512 / Concurrent devices: 16384 / Virtual interfaces (VLANs): 4094 / Concurrent GRE tunnels: 8192 / Maximum RAPs: 512 / Concurrent tunneled ports: 8192 / Concurrent IPSec sessions: 16384 / Concurrent SSL fallback sessions: 8192 / Active firewall sessions: 2015291
Power AC 120/230 V (50/60 Hz)
Power Redundancy Yes
Dimensions (WxDxH) 17.5 in x 17.5 in x 1.7 in
JL376A Switch

The Aruba 8400 Switch Series is a core and aggregation switch solution with an innovative and powerful approach to dealing with the new applications, security and scalability demands of the mobile, cloud and IoT era.

JL376A Specification
Interfaces/Ports
Uplink Port No
Modular Yes
Stack Port Yes
Media & Performance
Media Type Supported Optical Fiber
Ethernet Technology 10 Gigabit Ethernet, 40 Gigabit Ethernet, 100 Gigabit Ethernet
Network Technology 10GBase-X, 40GBase-X, 100GBase-X
I/O Expansions
Number of Total Expansion Slots 8
Network & Communication
Layer Supported 3
Management & Protocols
Manageable Yes
Power Description
Power Source Power Supply
Redundant Power Supply Supported Yes
Physical Characteristics
Compatible Rack Unit 8U
Form Factor Rack-mountable, Rail-mountable, Surface Mount
Height 13.8″
Width 17.4″
Depth 26″

Are you interested in these products? Welcome to learn details and check the price on Router-switch.com, and please feel free to check the the datasheets there.

Do you have any question about the price?

Contact us now via Live Chat or sales@router-switch.com. Just enjoy up to 5% off to get the new factory-sealed Aruba products!

Check More Aruba Products:

Aruba Wireless

Aruba Controllers

Aruba Switches

Read More:

HPE Aruba, Fortinet and Ruckus | Best Access Points on Router-switch.com in 2022

Share This Post

Post Comment