Home > Apache Struts Vulnerability in ClearPass Policy Manager

Apache Struts Vulnerability in ClearPass Policy Manager

Aug 30, 2018 - Aruba

Aruba Product Security Advisory

Advisory ID: ARUBA-PSA-2018-005

CVE: CVE-2018-11776

Publication Date: 2018-Aug-24

Status: Preliminary

Revision: 1



Apache Struts Vulnerability in ClearPass Policy Manager



The Apache Struts group announced Struts version 2.3.35 on August 22, 2018.

Included in this update is a fix for one security vulnerability.  Aruba ClearPass makes use of Apache Struts 2.3.34 and is potentially affected by this vulnerability.


Affected Products

  ClearPass 6.6.x

  ClearPass 6.7.x



Apache Struts versions 2.3 prior to 2.3.35 suffers from a possible Remote Code

Execution vulnerability. An attacker exploiting this vulnerability could

potentially take full control of a ClearPass server.  Aruba is still

investigating whether or not ClearPass is vulnerable based on software



The ClearPass Policy Manager administrative Web interface is the only

interface potentially affected by this vulnerability.  ClearPass Guest,

Insight, and Graphite, and REST API are NOT affected.


If it is determined that ClearPass is vulnerable, Aruba will provide hotfixes

for the latest released versions of ClearPass. Aruba will also include

Apache Struts 2.3.35 in subsequent cumulative patches.


Note: The following CVSS score is preliminary and is copied from the CVSS

score for CVE-2108-11776.  The score has not yet been adapted specifically

for ClearPass.


Severity: CRITICAL

CVSSv3 Overall Score: 9.8




  - Apply hotfix to ClearPass (if/when available)


This advisory will be updated with further details once new information

becomes available.  Aruba anticipates providing the next update on

August 28, 2018 (Pacific Standard Time).  The latest

version of this advisory will always be available at




As a standard best practice, Aruba recommends that ClearPass administrators

restrict access to the Policy Manager Admin Web Interface. This can be

accomplished by navigating to Administration >> Server Manager >>

Server Configuration >> <Server-Name> >> Network >> Restrict Access and

only allowing non-public or network management networks.


Exploitation and Public Discussion

Aruba is aware of significant public discussion of this issue, and exploit

code is reported to exist.


Revision History


Revision 1 / 2018-Aug-24 / Initial release


Aruba SIRT Security Procedures

Complete information on reporting security vulnerabilities in Aruba Networks

products, obtaining assistance with security incidents is available at:



For reporting *NEW* Aruba Networks security issues, email can be sent to

aruba-sirt(at)hpe.com. For sensitive information we encourage the use of

PGP encryption. Our public keys can be found at: