These upgrades are available to customers through the Internet Provisioning Portal. Customers should upgrade their devices as soon as possible to prevent possible exploitation of these vulnerabilities. Additionally, these vulnerabilities are also addressed in the following releases: ArubaOS 10.4.x: 10.4.6.17 and below; ArubaOS 10.5.x: 10.5.3.5 and below; ArubaOS 10.6.x: 10.6.0.28 and below; ArubaOS 10.7.x: 10.7.1.14 and below; ArubaOS 10.8.x: 10.8.1.1 and below; ArubaOS 10.9.x: 10.9.0.1 and below; ArubaOS 10.10.x: 10.10.0.6 and below; ArubaOS 11.0.x: 11.0.0.0 and below. There are buffer overflow vulnerabilities in multiple underlying services that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba Networks AP management protocol) UDP port (8211). Successful exploitation of these vulnerabilities results in the ability to execute arbitrary code as a privileged user on the underlying operating system of Aruba InstantOS 6.4.x: 6.4.4.8-4.2.4.20 and below; Aruba InstantOS 6.5.x: 6
Summary of Vulnerabilities
There are buffer overflow vulnerabilities in multiple underlying services that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba Networks AP management protocol) UDP port (8211). Successful exploitation of these vulnerabilities results in the ability to execute arbitrary code as a privileged user on the underlying operating system of Aruba InstantOS 6.4.x: 6.4.4.8-4.2.4.20 and below; Aruba InstantOS 6.5.x: 6.5
CVE-2022-37889
These vulnerabilities are addressed in the following releases: ArubaOS 10.4.x: 10.4.6.17 and below; ArubaOS 10.5.x: 10.5.3.5 and below; ArubaOS 10.6.x: 10.6.0-28 and below; ArubaOS 10.7-8:10, 7-8:9, 7-8:8, and 6-7, 7-8:7; ArubaOS 9
Vulnerability Information
Two buffer overflow vulnerabilities exist in the Aruba InstantOS 6.4-6.5 software that may lead to unauthenticated remote code execution, including the ability to execute arbitrary code as a privileged user on the underlying operating system of Aruba InstantOS 6.4.x: 6.4.4.8-4.2.4.20 and below; Aruba InstantOS 6.5.x: 6.5
Description
Aruba Networks has released the following updates to protect against a buffer overflow vulnerabilities in Aruba InstantOS 6.4.x: 6.4.4.8-4.2.4.20 and below; Aruba InstantOS 6.5.x: 6.5 that could allow unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba Networks AP management protocol) UDP port (8211). Successful exploitation of these vulnerabilities results in the ability to execute arbitrary code as a privileged user on the underlying operating system of Aruba InstantOS 6.4.x: 6.4.4.8-4.2.4, 20 and below; Aruba InstantOS 6, 5 and below respectively that could result in potential loss of service or data theft from devices running these releases
Timeline
Published on: 10/06/2022 18:16:00 UTC
Last modified on: 10/11/2022 05:15:00 UTC