Aruba Networks Patches Six Critical Vulnerabilities

March 1, 2023

Aruba Networks, a subsidiary of Hewlett Packard Enterprise, has released a security advisory to address six critical-severity vulnerabilities impacting multiple versions of ArubaOS. The flaws, tracked as CVE-2023-22747, CVE-2023-22748, CVE-2023-22749, CVE-2023-22750, CVE-2023-22751, and CVE-2023-22752, are command injection and stack-based buffer overflow problems in the PAPI protocol. An unauthenticated, remote attacker can leverage them by sending specially crafted packets to the PAPI over UDP port 8211, resulting in arbitrary code execution as a privileged user on ArubaOS. The vendor has released upgrade versions to address the flaws, however, several product versions that have reached End of Life (EoL) are also affected and will not receive a fixing update. As a workaround, system administrators can enable the “Enhanced PAPI Security” mode using a non-default key. Aruba states that it is unaware of any public discussion, exploit code, or active exploitation of these vulnerabilities as of the release date of the advisory.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.