Home > Apache Struts Vulnerability in ClearPass Policy Manager
Advisory ID: ARUBA-PSA-2018-005
CVE: CVE-2018-11776
Publication Date: 2018-Aug-24
Status: Preliminary
Revision: 1
Title
Apache Struts Vulnerability in ClearPass Policy Manager
Overview
The Apache Struts group announced Struts version 2.3.35 on August 22, 2018.
Included in this update is a fix for one security vulnerability. Aruba ClearPass makes use of Apache Struts 2.3.34 and is potentially affected by this vulnerability.
Affected Products
ClearPass 6.6.x
ClearPass 6.7.x
Details
Apache Struts versions 2.3 prior to 2.3.35 suffers from a possible Remote Code
Execution vulnerability. An attacker exploiting this vulnerability could
potentially take full control of a ClearPass server. Aruba is still
investigating whether or not ClearPass is vulnerable based on software
configuration.
The ClearPass Policy Manager administrative Web interface is the only
interface potentially affected by this vulnerability. ClearPass Guest,
Insight, and Graphite, and REST API are NOT affected.
If it is determined that ClearPass is vulnerable, Aruba will provide hotfixes
for the latest released versions of ClearPass. Aruba will also include
Apache Struts 2.3.35 in subsequent cumulative patches.
Note: The following CVSS score is preliminary and is copied from the CVSS
score for CVE-2108-11776. The score has not yet been adapted specifically
for ClearPass.
Severity: CRITICAL
CVSSv3 Overall Score: 9.8
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Resolution
- Apply hotfix to ClearPass (if/when available)
This advisory will be updated with further details once new information
becomes available. Aruba anticipates providing the next update on
August 28, 2018 (Pacific Standard Time). The latest
version of this advisory will always be available at
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2018-005.txt.
Workarounds
As a standard best practice, Aruba recommends that ClearPass administrators
restrict access to the Policy Manager Admin Web Interface. This can be
accomplished by navigating to Administration >> Server Manager >>
Server Configuration >> <Server-Name> >> Network >> Restrict Access and
only allowing non-public or network management networks.
Exploitation and Public Discussion
Aruba is aware of significant public discussion of this issue, and exploit
code is reported to exist.
Revision History
Revision 1 / 2018-Aug-24 / Initial release
Aruba SIRT Security Procedures
Complete information on reporting security vulnerabilities in Aruba Networks
products, obtaining assistance with security incidents is available at:
http://www.arubanetworks.com/support-services/security-bulletins/
For reporting *NEW* Aruba Networks security issues, email can be sent to
aruba-sirt(at)hpe.com. For sensitive information we encourage the use of
PGP encryption. Our public keys can be found at:
http://www.arubanetworks.com/support-services/security-bulletins/