- Aruba announced the release of patches that address multiple critical severity vulnerabilities impacting Aruba EdgeConnect Orchestrator.
- Advisory states that the vulnerabilities can cause authentication bypass, which leads to a system takeover or unauthenticated remote code execution.
- Aruba recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above.
Aruba released a security advisory regarding various critical severity vulnerabilities impacting Aruba EdgeConnect Orchestrator. According to the advisory, the vulnerabilities can cause authentication bypass, which leads to a system takeover or unauthenticated remote code execution in Aruba EdgeConnect Enterprise Orchestrator Web-Based Management Interface.
System takeover
Two vulnerabilities, tracked as CVE-2022-37913 and CVE-2022-37914, were found in the web-based management interface of Aruba EdgeConnect Enterprise Orchestrator allowing attackers to bypass authentications. The overall CVSS score of these vulnerabilities is 9.8. Once exploited, it allows the attacker to gain administrative privileges leading to a complete compromise of the Aruba EdgeConnect Enterprise Orchestrator host.
Another vulnerability is a remote code execution in Aruba EdgeConnect Enterprise Orchestrator Web-Based Management Interface. The vulnerability, tracked as CVE-2022-37915, allows attackers to run arbitrary commands on the underlying host, which leads to complete system compromise.
According to the advisory, the affected products are:
- Aruba EdgeConnect Enterprise Orchestrator (on-premises)
- Aruba EdgeConnect Enterprise Orchestrator-as-a-Service
- Aruba EdgeConnect Enterprise Orchestrator-SP and Aruba EdgeConnect Enterprise Orchestrator Global Enterprise Tenant Orchestrators
- Orchestrator 9.1.2.40051 and below
- Orchestrator 9.0.7.40108 and below
- Orchestrator 8.10.23.40009 and below
- Any older branches of Orchestrator not specifically mentioned
Users are urged to upgrade Aruba EdgeConnect Enterprise Orchestrator to one of the following versions with the fixes to resolve all issues:
- Aruba EdgeConnect Enterprise Orchestrator (on-premises)
- Orchestrator 9.2.0.40405 and above
- Orchestrator 9.1.3.40197 and above
- Orchestrator 9.0.7.40110 and above
- Orchestrator 8.10.23.40015 and above
- Aruba EdgeConnect Enterprise Orchestrator-as-a-Service
- TAC will automatically create a support case for Aruba (Silver Peak) hosted Orchestrators to be upgraded.
Aruba also published a workaround for users to minimize the likelihood of an attacker exploiting these vulnerabilities. Aruba recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above.