Aruba orchestrator could be attacked via web interface

By on
Aruba orchestrator could be attacked via web interface

Patches shipped this week.

Aruba has fixed a number of critical vulnerabilities affecting multiple versions of its EdgeConnect Enterprise Orchestrator software.

Affected products include the on-premises, as-a-service, service provider, and global enterprise tenant versions of the software, in version 9.1.2.40051 and below; 9.0.7.40108 and below; and 8.10.23.40009 and below, as well as older branches not listed here.

The software’s web-based management interface has an authentication bypass. Discovered by Daniel Jensen and reported to the company’s bug bounty program, there are two critical-rated CVEs, both of which are yet to be detailed: CVE-2022-37913 and CVE-2022-37914.

Successful exploitation “could allow an attacker to gain administrative privileges leading to complete compromise of the Aruba EdgeConnect Enterprise Orchestrator host”, the company said

Jensen also found a fault that allowed an unauthenticated attacker to “run arbitrary commands” against the web-based management interface’s underlying host, CVE-2022-37915 (also yet to be explained in more detail).

Also rated critical, this vulnerability affects Aruba EdgeConnect Enterprise Orchestrator (on-premises), 9.1.x branch only; and “any 9.1.x Orchestrator instantiated as a new machine with a release prior to 9.1.3.40197.

Patched versions are available for software customers run for themselves; people using the orchestrator software-as-a-service will be upgraded; while service providers are advised they must upgrade all tenants.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
arubanetworkingorchestratorsecurityvulnerability

Sponsored Whitepapers

Forrester Study APAC: Don&#8217;t Just Educate, Create Cybersafe Behaviour
Forrester Study APAC: Don’t Just Educate, Create Cybersafe Behaviour
Teaching Good Cyber Security Behaviors with Seinfield
Teaching Good Cyber Security Behaviors with Seinfield
2022 State of Email Security Report
2022 State of Email Security Report
Cyber Resilience For Dummies - ANZ edition
Cyber Resilience For Dummies - ANZ edition
How to successfully plan, deploy & launch an intranet
How to successfully plan, deploy & launch an intranet

Events

Most Read Articles

The Asus ZenWiFi Pro XT12 delivers fast, reliable wireless networking for SMBs

The Asus ZenWiFi Pro XT12 delivers fast, reliable wireless networking for SMBs
Network vendors inherit VLAN implementation bug

Network vendors inherit VLAN implementation bug
Aruba orchestrator could be attacked via web interface

Aruba orchestrator could be attacked via web interface
Lockheed Martin Australia lands billion-dollar sat positioning deal

Lockheed Martin Australia lands billion-dollar sat positioning deal

Digital Nation

Case Study: Munro Footwear Group changes &#8216;every system imaginable&#8217; says CTO Keng Ng
Case Study: Munro Footwear Group changes ‘every system imaginable’ says CTO Keng Ng
COVER STORY: Gen Z forces universities to digitally transform
COVER STORY: Gen Z forces universities to digitally transform
Six trends driving metaverse technologies: Gartner
Six trends driving metaverse technologies: Gartner
Web3 skills shortage creates project backlog until 2024
Web3 skills shortage creates project backlog until 2024
Case Study: Bendigo and Adelaide bank turn to AWS and Google for front and backend
Case Study: Bendigo and Adelaide bank turn to AWS and Google for front and backend

Log In

  |  Forgot your password?