Security News > 2023 > March > Aruba Networks fixes six critical vulnerabilities in ArubaOS
Aruba Networks published a security advisory to inform customers about six critical-severity vulnerabilities impacting multiple versions of ArubaOS, its proprietary network operating system.
Aruba Networks is a California-based subsidiary of Hewlett Packard Enterprise, specializing in computer networking and wireless connectivity solutions.
The critical flaws addressed by Aruba this time can be separated into two categories: command injection flaws and stack-based buffer overflow problems in the PAPI protocol.
The command injection vulnerabilities are tracked as CVE-2023-22747, CVE-2023-22748, CVE-2023-22749, and CVE-2023-22750, with a CVSS v3 rating of 9.8 out of 10.0.
Applying the mitigations does not address another 15 high-severity and eight medium-severity vulnerabilities listed in Aruba's security advisory, which are fixed by the new versions.
Aruba states that it is unaware of any public discussion, exploit code, or active exploitation of these vulnerabilities as of the release date of the advisory, February 28, 2022.
News URL
Related news
- SAP fixes critical vulnerabilities in NetWeaver application servers (source)
- Critical vulnerabilities remain unresolved due to prioritization gaps (source)
- Critical SimpleHelp vulnerabilities fixed, update your server instances! (source)
- Netgear warns users to patch critical WiFi router vulnerabilities (source)
- Cisco Patches Critical ISE Vulnerabilities Enabling Root CmdExec and PrivEsc (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-03-01 | CVE-2023-22750 | Command Injection vulnerability in Arubanetworks Arubaos and Sd-Wan There are multiple command injection vulnerabilities that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba Networks access point management protocol) UDP port (8211). | 9.8 |
| 2023-03-01 | CVE-2023-22749 | Command Injection vulnerability in Arubanetworks Arubaos and Sd-Wan There are multiple command injection vulnerabilities that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba Networks access point management protocol) UDP port (8211). | 9.8 |
| 2023-03-01 | CVE-2023-22748 | Command Injection vulnerability in Arubanetworks Arubaos and Sd-Wan There are multiple command injection vulnerabilities that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba Networks access point management protocol) UDP port (8211). | 9.8 |
| 2023-03-01 | CVE-2023-22747 | Command Injection vulnerability in Arubanetworks Arubaos and Sd-Wan There are multiple command injection vulnerabilities that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba Networks access point management protocol) UDP port (8211). | 9.8 |