-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory ===============================咨询ID: Aruba - psa -2017-002 CVE: CVE-2017-5638发布日期:2017-03-10状态:已确认修订:1 Title ===== Apache Struts远程代码执行漏洞概述========公开报道了Apache Struts 2包中一个未经身份验证的远程代码执行漏洞。这份报告详细描述了阿鲁巴面临的这一弱点。受影响的产品=================—ClearPass政策经理(所有版本)未受影响的产品===================—ArubaOS—Aruba Instant—AirWave—ALE—所有Aruba云服务，包括Aruba Central和Meridian—Niara Details =======2017年，Apache Struts团队发布了新版本的包，以解决一个安全漏洞。该漏洞允许未经身份验证的攻击者通过使用特别制作的Content-Type头在脆弱的系统上远程执行代码。攻击代码将在web服务器用户允许的情况下执行。攻击工具的存在和这一漏洞正被积极利用。ClearPass Policy Manager管理Web界面受到漏洞的影响。ClearPass Guest、Insight和石墨不受影响。 Severity: CRITICAL CVSSv3 Overall Score: 9.4 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L/E:F/RL:W/RC:C Resolution ========== Aruba will be publishing hotfixes for ClearPass 6.5.7 and 6.6.4 no later than Tuesday, March 14, 2017. Additionally, ClearPass 6.6.5 (target release date of March 22, 2017) will include this fix. Once the hotfix is published, the following methods may be used to install it: Installing the Patch Online Using the Software Updates Portal: 1. Open ClearPass Policy Manager and go to Administration > Agents and Software Updates > Software Updates. 2. In the Firmware and Patch Updates area, find the "ClearPass 6.5.7 Hotfix Patch for CVE-2017-5638" or "ClearPass 6.6.4 Hotfix Patch for CVE-2017-5638" patch and click the Download button in its row. 3. Click Install. 4. When the installation is complete and the status is shown as "Needs Restart", proceed to restart ClearPass. After reboot, the status for the patch will be shown as Installed. The ClearPass Policy Manager version number will not change. Installing the Patch Offline Using the Patch File from support.arubanetworks.com: 1. Download the "ClearPass 6.5.7 Hotfix Patch for CVE-2017-5638" or "ClearPass 6.6.4 Hotfix Patch for CVE-2017-5638" patch from the Support site. 2. Open the ClearPass Policy Manager Admin UI and go to Administration > Agents and Software Updates > Software Updates. 3. At the bottom of the Firmware and Patch Updates area, click Import Updates and browse to the downloaded patch file. The name and description once imported may differ from the name and remark on the support site as these were adjusted after posting. This is purely a cosmetic discrepancy. 4. Click Install. 5. When the installation is complete and the status is shown as Needs Restart, proceed to restart ClearPass. After reboot, the status for the patch will be shown as Installed. The ClearPass Policy Manager version number will not change. Workarounds =========== Restrict access to the Policy Manager Admin Web Interface. This can be accomplished by navigating to Administration >> Server Manager >> Server Configuration >> >>网络>>限制访问，仅支持非公网网络或管理网络。修订历史================修订1 / 2017年3月10日/最初发布的Aruba SIRT安全程序==============================关于报告Aruba网络产品的安全漏洞的完整信息，获取安全事件的帮助，请访问://www.nexbus-cng.com/support-services/security-bulletins/对于报告*NEW* Aruba网络安全问题，电子邮件可以发送到Aruba -sirt(at)hpe.com。对于敏感信息，我们鼓励使用PGP加密。我们的公开密钥可在以下网址找到://www.nexbus-cng.com/support-services/security-bulletins/ (c)版权所有2017年由Aruba，一家惠普企业公司。本咨询书可在正文顶部给出的发布日期之后自由分发，但所分发的副本必须完整且未经修改，包括所有日期和版本信息。-----BEGIN PGP签名-----版本:GnuPG v2 iQEcBAEBCAAGBQJYwy05AAoJEJj + CcpFhYbZm8AH / 2 eft782814a9ivnjekmmckx jurZFwGmmBAsQ3 / LfP6aJ7qOQQwzbzCQ6hH1rCgOlT9FmcJmy5NHXhvRjWwyVWYC 7 n3vs + 2 qjqcai0jx6nqq6nyyxyz2aiiexy5z1ohadqnidbs5htby9t2qkykd8f4j czbQKUFRAuwVeTgyW9jXi4UkkP4O5lh / 4 xjvvg9hw + / rx9VE8Zt / pbe4PHCfny0o BzZZCt / 5副总裁/ Vm5dhyV9Z87YgTeYtwTMxDE0u5XYW1zA4H3huw8o + vnmbuqPIzFF69SgE5nH1I/lfCOatxRTiT0iFZXED4yC217kXdf0Pds3WVcYmrYTD4phAgWvkcrQ= =A512 -----结束PGP签名-----