Aruba bugs squashed in seven-vuln splatfest
ClearPass Policy Manager needs upgrade
In case you missed it: there's a bunch of bad bugs in HPE's Aruba ClearPass Policy Manager.
HPE hasn't detailed the nature of the vulnerabilities, but they include an unauthenticated remote code execution (RCE) bug (CVE-2017-5824), a privilege escalation bug (CVE-2017-5825), an RCE available to authenticated users (CVE-2017-5826), a reflected cross-site scripting (XSS) bug (CVE-2017-5827), arbitrary command execution via an XML external entity (CVE-2017-5828), and an access control bypass (CVE-2017-5829).
While they were at it, HPE also patched a bug it inherited from Apache Tomcat – CVE-2017-5647, which popped up earlier this month. That was a bug in Tomcat's pipeline handling that could result in information leaking.
All versions of the ClearPass Policy Manager prior to v6.6.5 are affected. Version 6.6.5 was released in March and updated in April, and HPE says after upgrading to that version there's an additional hotfix customers need to run.
The patch is available for offline installation from Aruba. ®