-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba产品安全咨询===============================咨询ID: Aruba - psa -2019-003 CVE: CVE-2017-5715、CVE-2017-5753、CVE-2017-5754、CVE-2018-12126、CVE-2018-12127、CVE-2018-12130、CVE-2019-110911标题===== Aruba对CPU侧通道攻击的影响概述========这是对Aruba - psa -2018-001 (//www.nexbus-cng.com/assets/alert/ARUBA-PSA-2018-001.txt)的更新。比如MDS(微架构数据采样)、zombiload、Fallout、RIDL和Store-to-Leak Forwarding。所有这些技术都有相似的特点。阿鲁巴不受这些漏洞的影响。本咨询的文本将继续适用于未来的相关漏洞，除非阿鲁巴发出相反的咨询。受影响的产品================= -无(参见下面的详细信息和警告)详细信息======= Aruba产品基于许多不同的CPU架构，其中一些受到CPU侧通道漏洞的影响。然而，没有任何Aruba产品允许未经授权的用户执行任意代码，这是执行任何类型的侧通道攻击所必需的能力。实现代码执行需要出现第二个不相关的漏洞，而这种漏洞很可能已经允许系统遭到破坏，而不需要进一步利用。对上述声明的警告:虚拟设备:ClearPass策略管理器、AirWave、移动主机、虚拟移动控制器和IntroSpect包处理器都可以作为虚拟设备使用，在管理程序下作为来宾运行。 If the hypervisor is vulnerable and untrusted users have access to other guest systems running under the same hypervisor, an attacker may be able to read memory from the Aruba virtual appliance. Contact your virtualization vendor to determine whether updates are available. Aruba 8320/8400: This product provides the ability for authorized administrators to run scripts, which could be used to exploit the vulnerability. However, an administrator with access to run scripts already has full administrative rights and can control any aspect of the system. Thus, the vulnerability does not contribute to any form of information disclosure or privilege escalation. Cloud Products: Aruba's cloud providers supporting products such as Central, Activate, and Meridian have notified Aruba that they are in the process of applying, or have already applied, mitigation patches to their virtualization environments. Resolution ========== No immediate action is required. As part of a defense-in-depth strategy, Aruba regularly investigates kernel patches, CPU microcode updates, and other mitigations and may deploy these in future software updates. However, some mitigation techniques are known to reduce system performance significantly. Therefore, given the limited security risk, Aruba will take the time to carefully test the impact of any mitigation techniques on scalability before releasing updates. Workarounds =========== No workarounds required. Exploitation and Public Discussion ================================== Aruba is aware of significant public discussion of this issue. Proof of concept code has been published. None of the published code is applicable to Aruba products. Revision History ================ Revision 1 / 2019-Jun-24 / Initial release Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at: //www.nexbus-cng.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: //www.nexbus-cng.com/support-services/security-bulletins/ (c) Copyright 2019 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAl0R8EgACgkQmP4JykWF htmBxQf/bVRsFFpbfNZ9hbqt6W1BBbz1aZm/kKKqIAZJ/RzWF2XUeNaPR8V6nl6g iTzTcqvnNadqPZi4rOfjbKvWGR2VNtWZSuQjG0C9nUf9v5vM66KYFuypl6EfD3om BUwpXqG0GXkvvH56dNQdqsCDbgf6rJrh2X7SBaV41lDsAy4AYCZsZDgnCpD2r08L HkubODngq4zyVD6zR1sDU80/DPbgg6ao0vS/4kRaxnhrGUpfEYn0kbnySfTtAVPS aczj1oVNUMUJzbfoIOre/FvRMgVPZCSyfaglRP7yIrwNePfCIHBBuNPn0qch/jY4 bKEorOkXybS53OyyvJwtRo3xIcFJaw== =Zzsc -----END PGP SIGNATURE-----