We recently published an announcement for the OpenSSL 1.0.1 vulnerability ("Heartbleed Bug") that has been making big headlines this week. This vulnerability is very serious because it can allow an attacker to get the private keys that are being used to secure the communication, making it possible to launch a man-in-the-middle or other impersonation attack.
Our engineering and support teams have reacted quickly and patch releases for all affected Aruba products have been made available. Our OEM partners, our customers with active support contracts and AirWave 8.0 beta customers have all been notified. Many members of our Airheads Community have already started taking action.
Which Aruba products are affected?
- Affected versions: ArubaOS 6.3.x, 6.4.x and ClearPass 6.1.x, 6.2.x, 6.3.x. Previous versions of these products used an earlier version of OpenSSL that is not vulnerable.
- Aruba Instant and Aruba Mobility Access Switches are NOT affected.
- Aruba Central cloud-based management has been upgraded successfully.
- Patch release for AirWave 8.0 beta is now available on our support site.
- Patch release for Aruba Mobility Controllers running 6.3.x and 6.4.x versions of ArubaOS, including FIPS version, is now available on our support site.
- Patch release for Aruba ClearPass 6.1.x, 6.2.x and 6.3.x versions of software is now available on our support site.
What’s your best course of action?
- Understand that this is an industry- and internet-wide vulnerability and Aruba is not the only one affected.
- We recommend that you review Aruba security bulletin before calling Aruba support. It is important that any affected infrastructure components are upgraded to the available patch release immediately.
- As a pre-caution, it is recommended that you update administrative access passwords to Mobility Controllers and ClearPass after the software upgrade.
- Security policy for some of you may require server certification on Mobility Controllers and ClearPass to be re-issued. If the ClearPass server certificate is updated, and you have utilized the “ClearPass Onboard” functionality to onboard employee mobile devices to the network will have to take one more step: you will have to educate your users to re-connect to the wireless network and onboard their devices again to download the latest server certificate.