Security News > 2023 > March > Aruba Networks fixes six critical vulnerabilities in ArubaOS
Aruba Networks published a security advisory to inform customers about six critical-severity vulnerabilities impacting multiple versions of ArubaOS, its proprietary network operating system.
Aruba Networks is a California-based subsidiary of Hewlett Packard Enterprise, specializing in computer networking and wireless connectivity solutions.
The critical flaws addressed by Aruba this time can be separated into two categories: command injection flaws and stack-based buffer overflow problems in the PAPI protocol.
The command injection vulnerabilities are tracked as CVE-2023-22747, CVE-2023-22748, CVE-2023-22749, and CVE-2023-22750, with a CVSS v3 rating of 9.8 out of 10.0.
Applying the mitigations does not address another 15 high-severity and eight medium-severity vulnerabilities listed in Aruba's security advisory, which are fixed by the new versions.
Aruba states that it is unaware of any public discussion, exploit code, or active exploitation of these vulnerabilities as of the release date of the advisory, February 28, 2022.
News URL
Related news
- HPE Issues Critical Security Patches for Aruba Access Point Vulnerabilities (source)
- Zero-Day Alert: Three Critical Ivanti CSA Vulnerabilities Actively Exploited (source)
- HPE warns of critical RCE flaws in Aruba Networking access points (source)
- Patch Tuesday: Four Critical Vulnerabilities Paved Over (source)
- Critical vulnerabilities persist in high-risk sectors (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-03-01 | CVE-2023-22750 | Command Injection vulnerability in Arubanetworks Arubaos and Sd-Wan There are multiple command injection vulnerabilities that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba Networks access point management protocol) UDP port (8211). | 9.8 |
| 2023-03-01 | CVE-2023-22749 | Command Injection vulnerability in Arubanetworks Arubaos and Sd-Wan There are multiple command injection vulnerabilities that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba Networks access point management protocol) UDP port (8211). | 9.8 |
| 2023-03-01 | CVE-2023-22748 | Command Injection vulnerability in Arubanetworks Arubaos and Sd-Wan There are multiple command injection vulnerabilities that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba Networks access point management protocol) UDP port (8211). | 9.8 |
| 2023-03-01 | CVE-2023-22747 | Command Injection vulnerability in Arubanetworks Arubaos and Sd-Wan There are multiple command injection vulnerabilities that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba Networks access point management protocol) UDP port (8211). | 9.8 |