Operational Defect Database
BugZero found this defect 187 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
Hewlett Packard Enterprise | hpesbnw04565en_us
HPESBNW04565 rev.1 - HPE Aruba Access Points, Multiple Vulnerabilities
Last update date:
1/16/2024
Affected products:
Aruba 100 Series Campus Access Points
Aruba 110 Series Campus Access Points
Aruba 120 Series Campus Access Points
Aruba 130 Series Campus Access Points
Aruba 200 Series Campus Access Points
Aruba 207 Series Campus Access Points
Aruba 210 Series Campus Access Points
Aruba 220 Series Campus Access Points
Aruba 260 Series Access Points
Aruba 300 Series Campus Access Points
Aruba 303 Series Campus Access Points
Aruba 318 Series Hardened Access Points
Affected releases:
No affected releases provided.
Fixed releases:
No fixed releases provided.
Description:
Info
Document ID: hpesbnw04565en_us Version: 1 HPESBNW04565 rev.1 - HPE Aruba Access Points, Multiple Vulnerabilities NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2023-11-14 Last Updated: 2023-11-15 Potential Security Impact: Local: Compromise of System Integrity; Remote: Arbitrary Code Execution, Arbitrary Command Execution, Denial of Service (DoS) Source: Hewlett Packard Enterprise, HPE Product Security Response Team VULNERABILITY SUMMARY Title HPE Aruba Access Points, Multiple Vulnerabilities Note: Information originally published in ARUBA-PSA-2023-017 HPE Aruba Networking Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2023-017 CVE: CVE-2023-45614, CVE-2023-45615, CVE-2023-45616, CVE-2023-45617, CVE-2023-45618, CVE-2023-45619, CVE-2023-45620, CVE-2023-45621, CVE-2023-45622, CVE-2023-45623, CVE-2023-45624, CVE-2023-45625, CVE-2023-45626, CVE-2023-45627 Publication Date: 2023-Nov-14 Status: Confirmed Severity: Critical Revision: 1 Overview HPE Aruba Networking has released patches for Aruba access points running InstantOS and ArubaOS 10 that address multiple security vulnerabilities. Affected Products HPE Aruba Networking Aruba access points running InstantOS and ArubaOS 10 Affected Software Versions: ArubaOS 10.5.x.x: 10.5.0.0 and below ArubaOS 10.4.x.x: 10.4.0.2 and below InstantOS 8.11.x.x: 8.11.1.2 and below InstantOS 8.10.x.x: 8.10.0.8 and below InstantOS 8.6.x.x: 8.6.0.22 and below The following software versions that are End of Maintenance are affected by these vulnerabilities and are not addressed by this advisory: ArubaOS 10.3.x.x: all InstantOS 8.9.x.x: all InstantOS 8.8.x.x: all InstantOS 8.7.x.x: all InstantOS 8.5.x.x: all InstantOS 8.4.x.x: all InstantOS 6.5.x.x: all InstantOS 6.4.x.x: all Unaffected Products Aruba Mobility Conductor, Aruba Mobility Controllers, Access-Points when managed by Mobility Controllers and Aruba SD-WAN Gateways are not affected by these vulnerabilities. Aruba Instant On is also not affected by these vulnerabilities. Details Unauthenticated Buffer Overflow Vulnerabilities in CLI Service Accessed by the PAPI Protocol (CVE-2023-45614, CVE-2023-45615) There are buffer overflow vulnerabilities in the underlying CLI service that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's access point management protocol) UDP port (8211). Successful exploitation of these vulnerabilities result in the ability to execute arbitrary code as a privileged user on the underlying operating system. Internal References: ATLWL-361, ATLWL-362, ATLWL-363, ATLWL-364, ATLWL-365, ATLWL-366, ATLWL-367, ATLWL-368, ATLWL-375, ATLWL-376, ATLWL-377, ATLWL-378, ATLWL-379, ATLWL-390, ATLWL-396, ATLWL-397, ATLWL-400 Severity: Critical CVSSv3 Overall Score: 9.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by XiaoC from Moonlight Bug Hunter and Chancen via HPE Aruba Networking's bug bounty program. Workaround: Enabling cluster-security via the cluster-security command will prevent the vulnerabilities from being exploited in InstantOS devices running 8.x or 6.x code. For ArubaOS 10 devices this is not an option and instead access to port UDP/8211 must be blocked from all untrusted networks. Please contact HPE Services - Aruba Networking TAC for configuration assistance. Unauthenticated Buffer Overflow Vulnerability in AirWave Client Service Accessed by the PAPI Protocol (CVE-2023-45616) There is a buffer overflow vulnerability in the underlying AirWave client service that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's access point management protocol) UDP port (8211). Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system. Internal References: ATLWL-382 Severity: Critical CVSSv3 Overall Score: 9.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by XiaoC from Moonlight Bug Hunter via HPE Aruba Networking's bug bounty program. Workaround: Enabling cluster-security via the cluster-security command will prevent the vulnerability from being exploited in InstantOS devices running 8.x or 6.x code. For ArubaOS 10 devices this is not an option and instead access to port UDP/8211 must be blocked from all untrusted networks. Please contact HPE Services - Aruba Networking TAC for configuration assistance. Unauthenticated Arbitrary File Deletion in CLI Service Accessed by the PAPI Protocol (CVE-2023-45617) There are arbitrary file deletion vulnerabilities in the CLI service accessed by PAPI (Aruba's access point management protocol). Successful exploitation of these vulnerabilities result in the ability to delete arbitrary files on the underlying operating system, which could lead to the ability to interrupt normal operation and impact the integrity of the access point. Internal References: ATLWL-370, ATLWL-371, ATLWL-372, ATLWL-374, ATLWL-392, ATLWL-393, ATLWL-394, ATLWL-395 Severity: High CVSSv3 Overall Score: 8.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H Discovery: These vulnerabilities were discovered and reported by XiaoC from Moonlight Bug Hunter via HPE Aruba Networking's bug bounty program. Workaround: Enabling cluster-security via the cluster-security command will prevent the vulnerabilities from being exploited in InstantOS devices running 8.x or 6.x code. For ArubaOS 10 devices this is not an option and instead access to port UDP/8211 must be blocked from all untrusted networks. Please contact HPE Services - Aruba Networking TAC for configuration assistance. Unauthenticated Arbitrary File Deletion in AirWave Client Service Accessed by the PAPI Protocol (CVE-2023-45618) There are arbitrary file deletion vulnerabilities in the AirWave client service accessed by PAPI (Aruba's access point management protocol). Successful exploitation of these vulnerabilities result in the ability to delete arbitrary files on the underlying operating system, which could lead to the ability to interrupt normal operation and impact the integrity of the access point. Internal References: ATLWL-369, ATLWL-373 Severity: High CVSSv3 Overall Score: 8.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H Discovery: These vulnerabilities were discovered and reported by XiaoC from Moonlight Bug Hunter via HPE Aruba Networking's bug bounty program. Workaround: Enabling cluster-security via the cluster-security command will prevent the vulnerabilities from being exploited in InstantOS devices running 8.x or 6.x code. For ArubaOS 10 devices this is not an option and instead access to port UDP/8211 must be blocked from all untrusted networks. Please contact HPE Services - Aruba Networking TAC for configuration assistance. Unauthenticated Arbitrary File Deletion in RSSI Service Accessed by the PAPI Protocol (CVE-2023-45619) There is an arbitrary file deletion vulnerability in the RSSI service accessed by PAPI (Aruba's access point management protocol). Successful exploitation of this vulnerability results in the ability to delete arbitrary files on the underlying operating system, which could lead to the ability to interrupt normal operation and impact the integrity of the access point. Internal References: ATLWL-407 Severity: High CVSSv3 Overall Score: 8.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H Discovery: This vulnerability was discovered and reported by Chancen via HPE Aruba Networking's bug bounty program. Workaround: Enabling cluster-security via the cluster-security command will prevent the vulnerabilities from being exploited in InstantOS devices running 8.x or 6.x code. For ArubaOS 10 devices this is not an option and instead access to port UDP/8211 must be blocked from all untrusted networks. Please contact HPE Services - Aruba Networking TAC for configuration assistance. Unauthenticated Denial-of-Service (DoS) Vulnerabilities in CLI Service Accessed via the PAPI Protocol (CVE-2023-45620, CVE-2023-45621) Unauthenticated Denial-of-Service (DoS) vulnerabilities exist in the CLI service accessed via the PAPI protocol. Successful exploitation of these vulnerabilities result in the ability to interrupt the normal operation of the affected access point. Internal Reference: ATLWL-380, ATLWL-383, ATLWL-385, ATLWL-389, ATLWL-391, ATLWL-398, ATLWL-414 Severity: High CVSSv3 Overall Score: 7.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Discovery: These vulnerabilities were discovered and reported by XiaoC from Moonlight Bug Hunter and Chancen via HPE Aruba Networking's bug bounty program. Workaround: Enabling cluster-security via the cluster-security command will prevent the vulnerabilities from being exploited in InstantOS devices running 8.x or 6.x code. For ArubaOS 10 devices this is not an option and instead access to port UDP/8211 must be blocked from all untrusted networks. Please contact HPE Services - Aruba Networking TAC for configuration assistance. Unauthenticated Denial-of-Service (DoS) Vulnerabilities in BLE Daemon Service Accessed via the PAPI Protocol (CVE-2023-45622) Unauthenticated Denial-of-Service (DoS) vulnerabilities exist in the BLE daemon service accessed via the PAPI protocol. Successful exploitation of these vulnerabilities result in the ability to interrupt the normal operation of the affected access point. Internal Reference: ATLWL-387, ATLWL-388 Severity: High CVSSv3 Overall Score: 7.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Discovery: These vulnerabilities were discovered and reported by XiaoC from Moonlight Bug Hunter via HPE Aruba Networking's bug bounty program. Workaround: Enabling cluster-security via the cluster-security command will prevent the vulnerabilities from being exploited in InstantOS devices running 8.x or 6.x code. For ArubaOS 10 devices this is not an option and instead access to port UDP/8211 must be blocked from all untrusted networks. Please contact HPE Services - Aruba Networking TAC for configuration assistance. Unauthenticated Denial-of-Service (DoS) Vulnerabilities in the Wi-Fi Uplink Service Accessed via the PAPI Protocol (CVE-2023-45623) Unauthenticated Denial-of-Service (DoS) vulnerabilities exist in the Wi-Fi Uplink service accessed via the PAPI protocol. Successful exploitation of these vulnerabilities result in the ability to interrupt the normal operation of the affected access point. Internal Reference: ATLWL-384, ATLWL-386 Severity: High CVSSv3 Overall Score: 7.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Discovery: These vulnerabilities were discovered and reported by XiaoC from Moonlight Bug Hunter via HPE Aruba Networking's bug bounty program. Workaround: Enabling cluster-security via the cluster-security command will prevent the vulnerabilities from being exploited in InstantOS devices running 8.x or 6.x code. For ArubaOS 10 devices this is not an option and instead access to port UDP/8211 must be blocked from all untrusted networks. Please contact HPE Services - Aruba Networking TAC for configuration assistance. Unauthenticated Denial-of-Service (DoS) Vulnerability in the Soft AP Daemon Service Accessed via the PAPI Protocol (CVE-2023-45624) An unauthenticated Denial-of-Service (DoS) vulnerability exists in the soft ap daemon accessed via the PAPI protocol. Successful exploitation of this vulnerability results in the ability to interrupt the normal operation of the affected access point. Internal Reference: ATLWL-381 Severity: High CVSSv3 Overall Score: 7.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Discovery: This vulnerability was discovered and reported by XiaoC from Moonlight Bug Hunter via HPE Aruba Networking's bug bounty program. Workaround: Enabling cluster-security via the cluster-security command will prevent the vulnerabilities from being exploited in InstantOS devices running 8.x or 6.x code. For ArubaOS 10 devices this is not an option and instead access to port UDP/8211 must be blocked from all untrusted networks. Please contact HPE Services - Aruba Networking TAC for configuration assistance. Authenticated Remote Command Execution in Aruba InstantOS or ArubaOS 10 Command Line Interface (CVE-2023-45625) Multiple authenticated command injection vulnerabilities exist in the command line interface. Successful exploitation of these vulnerabilities result in the ability to execute arbitrary commands as a privileged user on the underlying operating system. Internal Reference: ATLWL-402, ATLWL-403, ATLWL-404 Severity: High CVSSv3 Overall Score: 7.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Chancen via HPE Aruba Networking's bug bounty program. Workaround: To minimize the likelihood of an attacker exploiting these vulnerabilities, HPE Aruba Networking recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above. Persistent Authenticated Arbitrary Code Execution across Boot Cycles (CVE-2023-45626) An authenticated vulnerability has been identified allowing an attacker to effectively establish highly privileged persistent arbitrary code execution across boot cycles. Internal References: ATLWL-399 Severity: Medium CVSSv3 Overall Score: 5.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L Discovery: This vulnerability was discovered by Nicholas Starke of Aruba Threat Labs. Workaround: This vulnerability cannot be exploited as part of the normal operation of the device. An attacker must already have full control of the affected device. To minimize the likelihood of an attacker exploiting this vulnerability, HPE Aruba Networking recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above. Authenticated Denial-of-Service (DoS) Vulnerability in CLI Service (CVE-2023-45627) An authenticated Denial-of-Service (DoS) vulnerability exists in the CLI service. Successful exploitation of this vulnerability results in the ability to interrupt the normal operation of the affected access point. Internal Reference: ATLWL-405 Severity: Medium CVSSv3 Overall Score: 4.3 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L Discovery: This vulnerability was discovered and reported by Chancen via HPE Aruba Networking's bug bounty program. Workaround: To minimize the likelihood of an attacker exploiting this vulnerability, HPE Aruba Networking recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above. Exploitation and Public Discussion HPE Aruba Networking is not aware of any public discussion or exploit code targeting these specific vulnerabilities as of the release date of the advisory. References: CVE-2023-45614 CVE-2023-45615 CVE-2023-45616 CVE-2023-45617 CVE-2023-45618 CVE-2023-45619 CVE-2023-45620 CVE-2023-45621 CVE-2023-45622 CVE-2023-45623 CVE-2023-45624 CVE-2023-45625 CVE-2023-45626 CVE-2023-45627 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. Aruba 100 Series Access Points - See vulnerability summary for affected versions Aruba 110 Series Access Points - See vulnerability summary for affected versions Aruba 120 Series Access Points - See vulnerability summary for affected versions Aruba 130 Series Access Points - See vulnerability summary for affected versions Aruba 200 Series Access Points - See vulnerability summary for affected versions Aruba 207 Series Access Points - See vulnerability summary for affected versions Aruba 210 Series Access Points - See vulnerability summary for affected versions Aruba 220 Series Access Points - See vulnerability summary for affected versions Aruba 260 Series Access Points - See vulnerability summary for affected versions Aruba 300 Series Access Points - See vulnerability summary for affected versions Aruba 303 Series Access Points - See vulnerability summary for affected versions Aruba 318 Series Hardened Access Points - See vulnerability summary for affected versions Aruba 320 Series Access Points - See vulnerability summary for affected versions Aruba 330 Series Access Points - See vulnerability summary for affected versions Aruba 340 Series Access Points - See vulnerability summary for affected versions Aruba 370 Series Access Points - See vulnerability summary for affected versions Aruba 500 Series Access Points - See vulnerability summary for affected versions Aruba 510 Series Access Points - See vulnerability summary for affected versions Aruba 530 Series Access Points - See vulnerability summary for affected versions Aruba 550 Series Access Points - See vulnerability summary for affected versions Aruba 630 Series Access Points - See vulnerability summary for affected versions Aruba 650 Series Access Points - See vulnerability summary for affected versions BACKGROUND HPE calculates CVSS using CVSS Version 3.1. If the score is provided from NIST, we will display Version 2.0, 3.0, or 3.1 as provided from NVD. Reference V3 Vector V3 Base Score V2 Vector V2 Base Score CVE-2023-45614 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 9.8 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2023-45615 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 9.8 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2023-45616 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 9.8 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2023-45617 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H 8.2 (AV:N/AC:L/Au:N/C:N/I:P/A:C) 8.5 CVE-2023-45618 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H 8.2 (AV:N/AC:L/Au:N/C:N/I:P/A:C) 8.5 CVE-2023-45619 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H 8.2 (AV:N/AC:L/Au:N/C:N/I:P/A:C) 8.5 CVE-2023-45620 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 7.5 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 7.8 CVE-2023-45621 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 7.5 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 7.8 CVE-2023-45622 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 7.5 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 7.8 CVE-2023-45623 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 7.5 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 7.8 CVE-2023-45624 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 7.5 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 7.8 CVE-2023-45625 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 7.2 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2023-45626 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L 5.5 (AV:N/AC:L/Au:S/C:N/I:C/A:P) 7.5 CVE-2023-45627 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L 4.3 (AV:N/AC:L/Au:S/C:N/I:N/A:P) 4.0 Information on CVSS is documented in HPE Customer Notice: HPSN-2008-002 Please see vulnerability summary for acknowledgement of individual reporters. RESOLUTION To address the vulnerabilities described above for the affected release branches, it is recommended to upgrade the software to the following versions: ArubaOS 10.5.x.x: 10.5.0.1 and above ArubaOS 10.4.x.x: 10.4.0.3 and above InstantOS 8.11.x.x: 8.11.2.0 and above InstantOS 8.10.x.x: 8.10.0.9 and above InstantOS 8.6.x: 8.6.0.23 and above HPE Aruba Networking does not evaluate or patch InstantOS and ArubaOS 10 software branches that have reached their End of Maintenance (EoM) milestone. For more information about Aruba's End of Maintenance policy visit: https://www.arubanetworks.com/support-services/end-of-life/ HISTORY Version:1 (rev.1) - 14 November 2023 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hpe.com. Report: To report a potential security vulnerability for any HPE supported product: Web Form: https://www.hpe.com/info/report-security-vulnerability Email: security-alert@hpe.com Hewlett Packard Enterprise Product Security Response Policy: https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00100637en_us Subscribe: To initiate a subscription to receive future HPE Security Bulletin alerts via Email: http://www.hpe.com/support/Subscriber_Choice Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://www.hpe.com/support/Security_Bulletin_Archive System management and security procedures must be reviewed frequently to maintain system integrity. HPE is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "HPE is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HPE products the important security information contained in this Bulletin. HPE recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HPE does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HPE will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HPE disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement." ©Copyright 2024 Hewlett Packard Enterprise Development LP Hewlett Packard Enterprise Development shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HPE nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise Development and the names of Hewlett Packard Enterprise Development products referenced herein are trademarks of Hewlett Packard Enterprise Development in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
Scope
None
Resolution
To address the vulnerabilities described above for the affected release branches, it is recommended to upgrade the software to the following versions: ArubaOS 10.5.x.x: 10.5.0.1 and above ArubaOS 10.4.x.x: 10.4.0.3 and above InstantOS 8.11.x.x: 8.11.2.0 and above InstantOS 8.10.x.x: 8.10.0.9 and above InstantOS 8.6.x: 8.6.0.23 and above HPE Aruba Networking does not evaluate or patch InstantOS and ArubaOS 10 software branches that have reached their End of Maintenance (EoM) milestone. For more information about Aruba's End of Maintenance policy visit: https://www.arubanetworks.com/support-services/end-of-life/ HISTORY Version:1 (rev.1) - 14 November 2023 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hpe.com. Report: To report a potential security vulnerability for any HPE supported product: Web Form: https://www.hpe.com/info/report-security-vulnerability Email: security-alert@hpe.com Hewlett Packard Enterprise Product Security Response Policy: https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00100637en_us Subscribe: To initiate a subscription to receive future HPE Security Bulletin alerts via Email: http://www.hpe.com/support/Subscriber_Choice Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://www.hpe.com/support/Security_Bulletin_Archive
