Aruba Orchestrator Could Be Attacked Via Web Interface – Networks – Security

0

Aruba has fixed a number of critical vulnerabilities affecting multiple versions of its EdgeConnect Enterprise Orchestrator software.

Affected products include on-premises, as-a-service, service provider, and global enterprise tenant versions of the software, version 9.1.2.40051 and lower; 9.0.7.40108 and below; and 8.10.23.40009 and earlier, plus older branches not listed here.

The software’s web management interface has an authentication bypass. Discovered by Daniel Jensen and reported to the company’s bug bounty program, there are two critical CVEs, which have not yet been detailed: CVE-2022-37913 and CVE-2022-37914.

Successful exploitation “could allow an attacker to gain administrative privileges leading to a full compromise of the Aruba EdgeConnect Enterprise Orchestrator host,” the company said.

Jensen also discovered a flaw that allowed an unauthenticated attacker to “execute arbitrary commands” on the web management interface underlying host, CVE-2022-37915 (also yet to be further explained) .

Also classified as critical, this vulnerability affects Aruba EdgeConnect Enterprise Orchestrator (on-premises), branch 9.1.x only; and “any Orchestrator 9.1.x instantiated as a new machine with a version earlier than 9.1.3.40197.

Patches are available for software that customers use themselves; people using the Orchestrator software as a service will be upgraded; while service providers are notified that they must upgrade all tenants.

Share.

Comments are closed.