Monday, April 14, 2014

Aruba Networks Publishes Update on Heartbleed Vulnerability

Is My Network Vulnerable?

Today, Aruba Networks made an announcement including details of their response to the OpenSSL 1.0.1 vulnerability otherwise known as the "Heartbleed bug."  It is possible for an attacker to exploit this Heartbleed vulnerability to gather information from the memory of web servers without leaving a trace.  This information may include security keys such as usernames, passwords, and cookies, thus enabling impersonations attacks.  This is a global internet vulnerability and is not specific to any certain type or brand of hardware or software.

Once the bug was discovered, the OpenSSL software was patched quickly and, as of the most recent version, this vulnerability is no longer an issue.  However, Aruba has recommended that some users take action.

Aruba quickly made patches available for their affected products.  Some customers, including those with active support contracts have already been notified.  There are active discussions in Aruba's Airheads Community forums.

Which Aruba Products Are Affected?

  • ArubaOS 6.3.x and 6.4.x
  • ClearPass 6.1.x, 6.2.x and 6.3.x
  • AirWave 8.0 beta
Earlier versions of ArubaOS and ClearPass used an earlier version of OpenSSL that is not vulnerable.  Patch releases have been made available on the Aruba Networks support site for affected versions of ArubaOS, ClearPass and AirWave.  Aruba Central cloud-based management has been upgraded.

How Can I Protect My Network?

  • If you are using any of the affected products, you can download the patches here.
  • If you have questions, read the Aruba security bulletin before contacting Aruba support.
  • As a precaution, change administrative access passwords after the software upgrade is complete.
We thank Aruba Networks for acting quickly to mitigate the effects of Heartbleed.

No comments:

Post a Comment