188金宝搏的网址_188金博的官方网址导航

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: Aruba - psa -2018-003 CVE: CVE-2018-7058, CVE-2018-7059, CVE-2018-7060, CVE-2018-04891标题===== ClearPass Policy Manager Multiple vulnerability Overview ======== Aruba发布了一个ClearPass Policy Manager的更新，解决了四个安全漏洞。受影响的产品 ================= ClearPass 6.6。ClearPass 6.7. x之前的版本。6.7.2细节之前x = = = = = = =认证绕过可能导致服务器妥协(cve - 2018 - 7058 ) ------------------------------------------------------------------- 所有版本的ClearPass 6.6。6.6.9之前的X受认证绕过漏洞影响。未经身份验证的攻击者可以利用此漏洞获得系统上的管理员特权。该漏洞仅暴露在ClearPass web界面上，包括管理、客户专属门户和API。没有向不受信任的用户暴露ClearPass web界面的客户受到的影响较小。严重程度:CRITICAL CVSSv3总分:9.8 CVSS矢量:CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H发现:该漏洞由Luke Young (@TheBoredEng)发现，并通过BugCrowd管理的bug赏金程序报告。分辨率:在6.6.9和6.7.0中修复。验证披露集群密码(cve - 2018 - 7059 ) ------------------------------------------------------------ 这个漏洞是只有当经过身份验证的用户使用“我”权限。 ClearPass prior to 6.6.9 has a vulnerability in the API that helps to coordinate cluster actions. An authenticated user with the 'mon' permission could use this vulnerability to obtain cluster credentials which could allow privilege escalation. Severity: HIGH CVSSv3 Overall Score: 7.5 CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered by Luke Young (@TheBoredEng) and reported through the BugCrowd managed bug bounty program. Resolution: Fixed in 6.6.9 and 6.7.0. Authenticated sessions are vulnerable to CSRF attacks (CVE-2018-7060) --------------------------------------------------------------------- ClearPass 6.6.x prior to 6.6.9 and 6.7.x prior to 6.7.1 is vulnerable to CSRF attacks against authenticated users. An attacker could manipulate an authenticated user into performing actions on the web administrative interface. Severity: MEDIUM CVSSv3 Overall Score: 6.4 CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H Resolution: Fixed in 6.6.9 and 6.7.1. Authenticated user can gain access as different user (CVE-2018-0489) -------------------------------------------------------------------- ClearPass includes a third-party implementation of SAML that can allow an attacker with authenticated access to trick SAML systems into authenticating as a different user without knowledge of the victim user's password. This vulnerability is only present if ClearPass SAML features are enabled under Configuration->Identity-Single Sign-On (SSO). The vulnerability affects all versions of ClearPass prior to 6.6.9 that have not applied 'ClearPass 6.6.9 Hotfix Patch for CVE-2018-0489', and ClearPass 6.7.x prior to 6.7.2. This vulnerability affects all uses of SAML within ClearPass, including: - Administrative logins to Policy Manager, Guest and Insight. - Onboard device provisioning portals - Guest Operator Login to Guest and Onboard applications. - Aruba Auto Sign-On (ASO) Severity: HIGH CVSSv3 Overall Score: 8.2 CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N Resolution ========== 1. If running any of the prior 6.6.x versions, upgrade ClearPass Policy Manager to version 6.6.9 and then install the 'ClearPass 6.6.9 Hotfix Patch for CVE-2018-0489'. Note: Version 6.6.9 also contains fixes for CVE-2017-9001 and CVE-2017-5708 which were previously announced. 2. If running ClearPass Policy Manager 6.7.0 or 6.7.1, upgrade to version 6.7.2. Workarounds =========== None. As a standard best practice, Aruba recommends that ClearPass administrators restrict access to the Policy Manager Admin Web Interface. This can be accomplished by navigating to Administration >> Server Manager >> Server Configuration >> >>网络>>限制访问，仅允许非公共或网络管理网络。修订历史=====================================修订版1/2018-3-21/首次发布Aruba SIRT安全程序=============================================================================有关报告Aruba Networks产品中安全漏洞的完整信息，可通过以下网址获得安全事件方面的协助：//www.nexbus-cng.com/support-services/security-bulletins/ 对于报告*新*阿鲁巴网络安全问题，可将电子邮件发送至Aruba sirt（at）hpe.com。对于敏感信息，我们鼓励使用PGP加密。我们的公钥可在以下网址找到：//www.nexbus-cng.com/support-services/security-bulletins/ （c） 2018年版权归Hewlett-Packard企业公司Aruba所有。本公告可在正文顶部给出的发布日期后自由重新分发，前提是重新分发的副本完整且未经修改，包括所有数据和版本信息-----开始PGP签名------IQEzbaebcaadfieemd5pp5enbg7y0fo5mp4jkwfghtkfalqwiquacgkqmp4jkwf cqkdixmljhazkxaro9zk/svsnwru5eg0uyzquvwayglou+A+dHg5IZtt+Ajazov/r+0+HgDyam8sSYR2dWFCZmM+9QNZ2yy1wA14AuJU/HHw7 kkkkkhvtumuvtumud+aguseizmr/ri3panfb+lbzxhzxxxxxhzzyzzzjjjjjjzzzzzzzyzzzyzyzf4hzzzzf4hzyzf4hzf4hzyzf4hzyzf4hzzzfCN1TDCP7GU+HRXU32PD8B55K9MOF6C6RG3WEGPZKAJMSWGZLQ0OOORFPGNG4Y7 ijzgXrtEWzTJfwpqJ7VXTQ/xdgcrrg==a1FO-----结束PGP签名-----