Aruba Networks patches critical Struts 2 vulnerability

Aruba Networks has joined the list of vendors whose software could have inherited last year’s Apache Struts 2 vulnerability.

The Struts 2 bug, CVE-2023-50164, first emerged in December, and allows an attacker to manipulate file upload parameters to achieve remote code execution.

Proof-of-concept code was published within days of the bug being disclosed.

Aruba said in an advisory that "the impact of this vulnerability on [its] ClearPass Policy Manager [product] has not been confirmed, but the version of Apache Struts has been upgraded for mitigation.”

Cisco patched the vulnerability when it was disclosed in December, and Dell patched the bug earlier this month.

The patch is part of a roll-up by Aruba covering a total of 10 CVEs, five of which carry a CVSS score of 7.2 (high severity).

CVE-2024-26294, CVE-2024-26295, CVE-2024-26296, CVE-2024-26297 and CVE-2024-26298 are all vulnerabilities in the ClearPass Policy Manager web-based management interface.

All five allow remote, authenticated users to run arbitrary commands as root on the underlying operating system.

There are another four medium-rated vulnerabilities: CVE-2024-26299, CVE-2024-26300, CVE-2024-26301 and CVE-2024-26302.

Affected versions are in the ClearPass Policy Manager 6.12.x, 6.11.x, 6.10.x, and 6.9.x software branches.