Aruba orchestrator could be attacked via web interface

Aruba has fixed a number of critical vulnerabilities affecting multiple versions of its EdgeConnect Enterprise Orchestrator software.

Affected products include the on-premises, as-a-service, service provider, and global enterprise tenant versions of the software, in version 9.1.2.40051 and below; 9.0.7.40108 and below; and 8.10.23.40009 and below, as well as older branches not listed here.

The software’s web-based management interface has an authentication bypass. Discovered by Daniel Jensen and reported to the company’s bug bounty program, there are two critical-rated CVEs, both of which are yet to be detailed: CVE-2022-37913 and CVE-2022-37914.

Successful exploitation “could allow an attacker to gain administrative privileges leading to complete compromise of the Aruba EdgeConnect Enterprise Orchestrator host”, the company said. 

Jensen also found a fault that allowed an unauthenticated attacker to “run arbitrary commands” against the web-based management interface’s underlying host, CVE-2022-37915 (also yet to be explained in more detail).

Also rated critical, this vulnerability affects Aruba EdgeConnect Enterprise Orchestrator (on-premises), 9.1.x branch only; and “any 9.1.x Orchestrator instantiated as a new machine with a release prior to 9.1.3.40197.

Patched versions are available for software customers run for themselves; people using the orchestrator software-as-a-service will be upgraded; while service providers are advised they must upgrade all tenants.