Apache Struts Remote Code Execution Vulnerability
An unauthenticated remote code execution vulnerability in the Apache
Struts 2 package has been publicly reported. This advisory details
Aruba's exposure to this vulnerability.
-- ClearPass Policy Manager (all versions)
-- Aruba Instant
-- All Aruba cloud services including Aruba Central and Meridian
On March 7, 2017 the Apache Struts team released new versions of the
package to address a security vulnerability. The vulnerability allows
an unauthenticated attacker to execute code remotely on a vulnerable system
through the use of a specially crafted Content-Type header. The attack code
will be executed with the permission of the web server user. Attack tools
exist and this vulnerability is being actively exploited.
The ClearPass Policy Manager administrative Web interface is affected by the
vulnerability. ClearPass Guest, Insight, and Graphite are NOT affected.
CVSSv3 Overall Score: 9.4
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L/E:F/RL:W/RC:C
Aruba will be publishing hotfixes for ClearPass 6.5.7 and 6.6.4 no later than
Tuesday, March 14, 2017. Additionally, ClearPass 6.6.5 (target release date
of March 22, 2017) will include this fix.
Once the hotfix is published, the following methods may be used to install it:
Installing the Patch Online Using the Software Updates Portal:
1. Open ClearPass Policy Manager and go to Administration > Agents and Software
Updates > Software Updates.
2. In the Firmware and Patch Updates area, find the "ClearPass 6.5.7 Hotfix
Patch for CVE-2017-5638" or "ClearPass 6.6.4 Hotfix Patch for CVE-2017-5638"
patch and click the Download button in its row.
3. Click Install.
4. When the installation is complete and the status is shown as "Needs
Restart", proceed to restart ClearPass. After reboot, the status for the
patch will be shown as Installed. The ClearPass Policy Manager version
number will not change.
Installing the Patch Offline Using the Patch File from support.arubanetworks.com:
1. Download the "ClearPass 6.5.7 Hotfix Patch for CVE-2017-5638" or
"ClearPass 6.6.4 Hotfix Patch for CVE-2017-5638" patch from the Support site.
2. Open the ClearPass Policy Manager Admin UI and go to Administration >
Agents and Software Updates > Software Updates.
3. At the bottom of the Firmware and Patch Updates area, click Import Updates
and browse to the downloaded patch file. The name and description once
imported may differ from the name and remark on the support site
as these were adjusted after posting. This is purely a cosmetic discrepancy.
4. Click Install.
5. When the installation is complete and the status is shown as Needs Restart,
proceed to restart ClearPass. After reboot, the status for the patch will
be shown as Installed. The ClearPass Policy Manager version number will
Restrict access to the Policy Manager Admin Web Interface. This can be
accomplished by navigating to Administration >> Server Manager >>
Server Configuration >> <Server-Name> >> Network >> Restrict Access and
only allowing non-public or network management networks.
Revision 1 / 2017-Mar-10 / Initial release
Aruba SIRT Security Procedures
Complete information on reporting security vulnerabilities in Aruba Networks
products, obtaining assistance with security incidents is available at: