Hard on the heels of the TLStorm 2.0 vulnerability, HPE subsidiary Aruba Networks has issued another critical-severity security advisory.
The company’s alert lists a total of 21 bugs for which Common Vulnerabilities and Exposures (CVE) numbers have been assigned, but it’s the first three – CVE-2022-23657, CVE-2022-23658 and CVE-2022-23660 – that need the most urgent attention.
The bugs relate to its ClearPass access control policy software.
Daniel Jensen reported the bugs through the company’s bug bounty program.
Jensen found the ClearPass web-based management interface can be exploited to let an unauthenticated remote attacker run arbitrary commands on the machine hosting the software.
“Successful exploitation of these vulnerabilities allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise”, the advisory states.
The vulnerabilities exist in ClearPass Policy Manager 6.10.4 and below in the 6.10.x patch series, 6.9.9 and below in the 6.9.x patch series, and 6.8.9-HF2 and below in the 6.8.x patch series.
Fixes have been published for all supported versions of the software.
Earlier this week, Armis released details of a TLS bug, TLStorm 2.0, which it said affected millions of switches worldwide, including those made by Aruba Networks.