Aruba just released the following update regarding the Apache log4j library vulnerabilities. If you’re running a Silver Peak Orchestrator or other GMS products and/or Aruba IntroSpect this will be of interest to you.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2021-019 CVE: CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-4104, CVE-2021-44832 Publication Date: 2021-Dec-13 Last Update: 2022-Jan-11 Status: Confirmed Severity: Critical Revision: 3 Title ===== Apache log4j library vulnerabilities Overview ======== Five CVEs have been published about various vulnerabilities discovered in the Apache log4j library. Details can be found at: CVE-2021-44228 https://nvd.nist.gov/vuln/detail/CVE-2021-44228 CVE-2021-45046 https://nvd.nist.gov/vuln/detail/CVE-2021-45046 CVE-2021-45105 https://nvd.nist.gov/vuln/detail/CVE-2021-45105 CVE-2021-4104 https://nvd.nist.gov/vuln/detail/CVE-2021-4104 CVE-2021-44832 https://nvd.nist.gov/vuln/detail/CVE-2021-44832 Affected Products ================= -- All Silver Peak Orchestrator and legacy GMS products. For details visit: https://www.arubanetworks.com/website/techdocs/sdwan/docs/advisories/media/security_advisory_notice_apache_log4j2_cve_2021_44228.pdf -- Aruba IntroSpect: Versions 22.214.171.124 to 126.96.36.199 Unaffected Products =================== -- AirWave Management Platform -- Aruba Analytics and Location Engine -- Aruba Central / Central On-Premises -- Aruba ClearPass Policy Manager -- Aruba Instant / Aruba Instant Access Points -- Aruba Instant On -- Aruba Fabric Composer (AFC) and Plexxi Composable Fabric Manager (CFM) -- Aruba NetEdit -- Aruba User Experience Insight (UXI) -- ArubaOS Wi-Fi Controllers and Gateways -- ArubaOS SD-WAN Gateways -- ArubaOS-CX Switches -- ArubaOS-S Switches -- HP ProCurve Switches -- Aruba VIA Client Other Aruba products not listed above are also not known to be affected by the vulnerability. Details ======= Since the discovery of these vulnerabilities, Aruba SIRT has been closely monitoring these threats and how they may affect Aruba products. Aruba SIRT consulted with the product teams, and Aruba Threat Labs performed various tests using POC (Proof of Concept) code against products. Although some Aruba products use the log4j library, none of them use it in a way that makes them vulnerable the published vulnerabilities. The conclusion of the investigation is that the products listed above under the Unaffected Products section are not vulnerable to these vulnerabilities. If new information is discovered, this advisory will be updated. Resolution ========== Aruba IntroSpect: Version 188.8.131.52 and above Exploitation and Public Discussion ================================== These vulnerabilities are being widely discussed in public. (POC) Proof of Concept code is also available for some of them. Revision History ================ Revision 1 / 2021-Dec-13 / Initial release Revision 2 / 2021-Dec-17 / CVE-2021-45046 added; update on Silver Peak Orchestrator Listing additional Aruba products in Unaffected Products Revision 3 / 2022-Jan-11 / CVE-2021-45105, CVE-2021-4104 and CVE-2021-44832 added IntroSpect added to Affected Products Overview, Details and Exploitation and Public Discussion Sections updated Resolution section added Aruba SIRT Security Procedures ============================== To receive Security Advisory updates, subscribe to notifications at https://sirt.arubanetworks.com/mailman/listinfo/security-alerts_sirt.arubanetworks.com Complete information on reporting security vulnerabilities in Aruba Networks products and obtaining assistance with security incidents is available at: https://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: https://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2022 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmHYdvAACgkQmP4JykWF htkM9wf9HU7s0SoLlYb9Osbln6UdiGeUMiGvg5rIHFH394aw2vPNCM5pCH2J/DSb g8iXSnFBy1SfQemcCfOREN1jJVABTiZPcLj+hL8RYW8incLPxJZJb98mFtIzEqHL wzoQB6cbbzVyptDM2CusbRp2j/Kk2c9+07BnDWbsAQedBoK5AGjqAykE4cO22uvd 4M9e2CQBiNEAL+7o5au6qMFFay3cI7EOZhI57jBHi8toaWxIRrXZzmcdPTzI6/wB Ro6ZG3RRHV27fAzA/h0t9UOdGcVnSs1j3Z5pByw6D48svfnR891Mc4ufUDvE901r ciMjlT8vbed4D/ankQ98dCmEEWh2Kw== =4vfn -----END PGP SIGNATURE-----