A flaw was found in htmldoc in v1.9.12 and before. Null pointer dereference in file_extension(),in file.c may lead to execute arbitrary code and denial of service.

Published: **3 June 2021**

\[Unknown description\]

**Status**

Package

Release

Status

htmldoc  
Launchpad, Ubuntu, Debian

bionic

Not vulnerable  

focal

Released (1.9.7-1ubuntu0.2)  

groovy

Ignored (reached end-of-life)  

hirsute

Released (1.9.11-2ubuntu0.1)  

impish

Not vulnerable (1.9.11-4)  

trusty

Does not exist  

upstream

Released (1.9.11-4)  

xenial

Ignored (out of standard support)  

**References**

*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23180
*   https://github.com/michaelrsweet/htmldoc/issues/418
*   https://github.com/michaelrsweet/htmldoc/commit/19c582fb32eac74b57e155cffbb529377a9e751a
*   https://ubuntu.com/security/notices/USN-5198-1
*   NVD
*   Launchpad
*   Debian

**Bugs**

*   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989437

CVE-2021-23180: CVE-2021-23180 | Ubuntu

A flaw was found in htmldoc in v1.9.12 and prior. A stack buffer overflow in parse_table() in ps-pdf.cxx may lead to execute arbitrary code and denial of service.

Published: **3 June 2021**

\[Unknown description\]

**Status**

Package

Release

Status

htmldoc  
Launchpad, Ubuntu, Debian

bionic

Needed  

focal

Needed  

groovy

Ignored (reached end-of-life)  

hirsute

Ignored (reached end-of-life)  

impish

Needed  

trusty

Does not exist  

upstream

Needs triage  

xenial

Ignored (out of standard support)  

**References**

*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23206
*   https://github.com/michaelrsweet/htmldoc/issues/416
*   https://github.com/michaelrsweet/htmldoc/commit/ba61a3ece382389ae4482c7027af8b32e8ab4cc8
*   NVD
*   Launchpad
*   Debian

**Bugs**

*   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989437

CVE-2021-23206: CVE-2021-23206 | Ubuntu

A security issue was found in htmldoc v1.9.12 and before. A NULL pointer dereference in the function image_load_jpeg() in image.cxx may result in denial of service.

Published: **3 June 2021**

\[Unknown description\]

**Status**

Package

Release

Status

htmldoc  
Launchpad, Ubuntu, Debian

bionic

Needed  

focal

Needed  

groovy

Ignored (reached end-of-life)  

hirsute

Ignored (reached end-of-life)  

impish

Needed  

trusty

Does not exist  

upstream

Needs triage  

xenial

Ignored (out of standard support)  

**References**

*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23191
*   https://github.com/michaelrsweet/htmldoc/issues/415
*   https://github.com/michaelrsweet/htmldoc/commit/369b2ea1fd0d0537ba707f20a2f047b6afd2fbdc
*   NVD
*   Launchpad
*   Debian

**Bugs**

*   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989437

CVE-2021-23191: CVE-2021-23191 | Ubuntu

Multiple unauthenticated command injection vulnerabilities were discovered in the AOS-CX API interface in Aruba CX 6200F Switch Series, Aruba 6300 Switch Series, Aruba 6400 Switch Series, Aruba 8320 Switch Series, Aruba 8325 Switch Series, Aruba 8400 Switch Series, Aruba CX 8360 Switch Series version(s): AOS-CX 10.06.xxxx: 10.06.0170 and below, AOS-CX 10.07.xxxx: 10.07.0050 and below, AOS-CX 10.08.xxxx: 10.08.1030 and below, AOS-CX 10.09.xxxx: 10.09.0002 and below. Aruba has released upgrades for Aruba AOS-CX devices that address these security vulnerabilities.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2022-004 CVE: CVE-2021-41000, CVE-2021-41001, CVE-2021-41002, CVE-2021-41003, CVE-2021-3712, CVE-2002-20001, CVE-2017-6168, CVE-2017-17382, CVE-2017-17427, CVE-2017-17428, CVE-2017-12373, CVE-2017-13098, CVE-2017-1000385, CVE-2017-13099, CVE-2016-6883, CVE-2012-5081 Publication Date: 2022-Feb-22 Last Update: 2022-Apr-06 Status: Confirmed Severity: High Revision: 2 Title ===== AOS-CX Switches Multiple Vulnerabilities Overview ======== Aruba has released updates for wired switch products running AOS-CX that address multiple security vulnerabilities. Affected Products ================= These vulnerabilities affect Aruba 4100i,6100,6200,6300, 6400,8320,8325,8360, and 8400 model switches running the following version of the AOS-CX firmware: - AOS-CX 10.06.xxxx: 10.06.0170 and below - AOS-CX 10.07.xxxx: 10.07.0050 and below - AOS-CX 10.08.xxxx: 10.08.1030 and below - AOS-CX 10.09.xxxx: 10.09.0002 and below Not all vulnerabilities in this advisory affect all AOS-CX branches. If an AOS-CX branch is not listed as affected, it means that any AOS-CX version in that given branch is not affected. For example, the 10.06.xxxx branch is not affected by CVE-2021-41001 and the 10.09.xxxx branch is not affected by CVE-2021-3712. The following unsupported branches of AOS-CX software were not validated and may contain these vulnerabilities: - AOS-CX 10.05.xxxx and below Unaffected Products =================== Any other Aruba products not listed above, including Aruba Intelligent Edge Switches and HPE OfficeConnect Switches are not affected by these vulnerabilities. Details ======= Multiple Authenticated Remote Code Execution in AOS-CX Command Line Interface (CVE-2021-41000) --------------------------------------------------------------------- Multiple vulnerabilities exist in the AOS-CX command line interface that could lead to authenticated command injection. Successful exploitation of these vulnerabilities could result in the ability to execute arbitrary commands as a privileged user on the underlying operating system. This allows an attacker to fully compromise the underlying operating system on the device running AOS-CX. Internal references: ATLAX-27, ATLAX-28, ATLAX-38 Severity: High CVSSv3.1 Overall Score: 8.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Erik de Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program. Affected Versions: AOS-CX 10.06.xxxx: 10.06.0170 and below AOS-CX 10.07.xxxx: 10.07.0020 and below AOS-CX 10.08.xxxx: 10.08.0001 and below Resolved Versions: AOS-CX 10.06.xxxx: 10.06.0180 and above AOS-CX 10.07.xxxx: 10.07.0030 and above AOS-CX 10.08.xxxx: 10.08.0010 and above AOS-CX 10.09.xxxx: 10.09.0001 and above Diffie-Hellman Key Agreement Protocol Vulnerability (CVE-2002-20001) --------------------------------------------------------------------- The Diffie-Hellman Key Agreement Protocol allows remote attackers (from the client side) to send arbitrary numbers that are actually not public keys and trigger expensive server-side DHE modular-exponentiation calculations, aka a D(HE)ater attack. Successful exploitation of this vulnerability can lead to a denial of service on the AOS-CX switch. Internal Reference: ATLAX-51 Severity: High CVSSv3.1 Overall Score: 7.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Discovery: This vulnerability was discovered and reported by Jean-francois Raymond and Anton Stiglic. Please see the following link for more details: https://www.researchgate.net/publication/2401745\_Security\_Issues\_in\_the\_Diffie-Hellman\_Key\_Agreement\_Protocol Affected Versions: AOS-CX 10.06.xxxx: 10.06.0170 and below AOS-CX 10.07.xxxx: 10.07.0050 and below AOS-CX 10.08.xxxx: 10.08.1030 and below AOS-CX 10.09.xxxx: 10.09.0002 and below Resolved Versions: AOS-CX 10.06.xxxx: 10.06.0180 and above AOS-CX 10.07.xxxx: 10.07.0061 and above AOS-CX 10.08.xxxx: 10.08.1040 and above AOS-CX 10.09.xxxx: 10.09.0010 and above Authenticated Read Buffer Overruns Processing ASN.1 Strings in AOS-CX (CVE-2021-3712) --------------------------------------------------------------------- A vulnerability exists which allows an authenticated attacker to access sensitive information on the AOS-CX web-based management interface. Successful exploitation allows an attacker to gain access to some data in a cleartext format possibly exposing other network infrastructure to further compromise. Internal references: ATLAX-39 Severity: High CVSSv3.1 Overall Score: 7.4 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H Discovery: This vulnerability was discovered and reported by Ingo Schwarze. Affected Versions: AOS-CX 10.06.xxxx: 10.06.0170 and below AOS-CX 10.07.xxxx: 10.07.0050 and below AOS-CX 10.08.xxxx: 10.08.1030 and below Resolved Versions: AOS-CX 10.06.xxxx: 10.06.0180 and above AOS-CX 10.07.xxxx: 10.07.0061 and above AOS-CX 10.08.xxxx: 10.08.1040 and above AOS-CX 10.09.xxxx: 10.09.0001 and above Authenticated Remote Code Execution in AOS-CX Network Analytics Engine(NAE) (CVE-2021-41001) -------------------------------------------------------------------- Authenticated command injection vulnerabilities exist in the AOS-CX Network Analytics Engine via NAE scripts. Successful exploitation of these vulnerabilities result in the ability to execute arbitrary commands as a privileged user on the underlying operating system, leading to a complete compromise of the switch running AOS-CX. Internal references: ATLAX-37 Severity: High CVSSv3.1 Overall Score: 7.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Erik de Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program. Affected Versions: AOS-CX 10.07.xxxx: 10.07.0050 and below AOS-CX 10.08.xxxx: 10.08.1030 and below AOS-CX 10.09.xxxx: 10.09.0002 and below Resolved Versions: AOS-CX 10.07.xxxx: 10.07.0061 and above AOS-CX 10.08.xxxx: 10.08.1040 and above AOS-CX 10.09.xxxx: 10.09.0010 and above Multiple Unauthenticated Command Injection Vulnerabilities in AOS-CX API Interface (CVE-2021-41003) --------------------------------------------------------------------- Vulnerabilities in the web-based management interface API of AOS-CX that could allow an unauthenticated remote attacker to conduct Cross Site Scripting(XSS) and HTML injection attacks. It would allow an attacker to execute arbitrary code in a victim's browser. Internal Reference: ATLAX-50 Severity: Medium CVSSv3.1 Overall Score: 6.1 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Discovery: This vulnerability was discovered and reported by mooimacow (bugcrowd.com/mooimacow) via Aruba's Bug Bounty Program. Affected Versions: AOS-CX 10.06.xxxx: 10.06.0170 and below AOS-CX 10.07.xxxx: 10.07.0050 and below AOS-CX 10.08.xxxx: 10.08.1030 and below AOS-CX 10.09.xxxx: 10.09.0002 and below Resolved Versions: AOS-CX 10.06.xxxx: 10.06.0180 and above AOS-CX 10.07.xxxx: 10.07.0061 and above AOS-CX 10.08.xxxx: 10.08.1040 and above AOS-CX 10.09.xxxx: 10.09.0010 and above Return Of Bleichenbacher's Oracle Threat (CVE-2017-6168, CVE-2017-17382, CVE-2017-17427, CVE-2017-17428, CVE-2017-12373, CVE-2017-13098, CVE-2017-1000385, CVE-2017-13099, CVE-2016-6883, CVE-2012-5081) -------------------------------------------------------------------- A vulnerability exists within AOS-CX's cryptographic library that provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange is negotiated. An attacker may be able to recover private keys for X.509 certificates. This vulnerability is referred to as "ROBOT." Please see the following link for more details: https://robotattack.org/ Internal references: ATLAX-36 Severity: Medium CVSSv3.1 Overall Score: 5.9 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Discovery: This vulnerability was discovered and reported by Hanno Böck, Juraj Somorovsky, and Craig Young. Affected Versions: AOS-CX 10.06.xxxx: 10.06.0120 and below AOS-CX 10.07.xxxx: 10.07.0009 and below Resolved Versions: AOS-CX 10.06.xxxx: 10.06.0130 and above AOS-CX 10.07.xxxx: 10.07.0010 and above AOS-CX 10.08.xxxx: 10.08.0001 and above Multiple Authenticated Remote Path Traversal AOS-CX Command Line Interface (CVE-2021-41002) --------------------------------------------------------------------- Multiple authenticated path traversal vulnerabilities exist in the AOS-CX command line interface. Successful exploitation of this vulnerability could result in the ability to impact the integrity of critical files on the underlying operating system. This allows an attacker to impact the availability of the AOS-CX switch and may allow for modification of sensitive data. Internal references: ATLAX-33, ATLAX-34 Severity: Medium CVSSv3.1 Overall Score: 5.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L Discovery: These vulnerabilities were discovered and reported by Erik de Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program. Affected Versions: AOS-CX 10.06.xxxx: 10.06.0170 and below AOS-CX 10.07.xxxx: 10.07.0050 and below AOS-CX 10.08.xxxx: 10.08.1030 and below AOS-CX 10.09.xxxx: 10.09.0002 and below Resolved Versions: AOS-CX 10.06.xxxx: 10.06.0180 and above AOS-CX 10.07.xxxx: 10.07.0061 and above AOS-CX 10.08.xxxx: 10.08.1040 and above AOS-CX 10.09.xxxx: 10.09.0010 and above Exploitation and Public Discussion ================================== Aruba is not aware of any public discussion or exploit code that target these specific vulnerabilities as of the release date of the advisory. Revision History ================ Revision 1 / 2022-Feb-22 / Initial release Revision 2 / 2022-Apr-06 / Updated CVSSv3.1 Overall Score Version Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at: http://www.arubanetworks.com/support-services/security-bulletins/ For reporting \*NEW\* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: http://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2022 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmIKeYAACgkQmP4JykWF htlHIwf/Wg7bLFjwR2I8B4AW27g5ZF7+kZDANC0fDcGbIump0Vk9kYpixZFV0PC6 emZ1HG+CMnlzJC/tSiTTUZF4+aDwJlJgtX3la4Em/bZGhFZoAc0YyM4p9U8QZ+fw KUqa5OklYZ7dWqQfcJMQuRfJwAx+gBnSG6hYf5dOarAxNNWYJpDvPWzQ6YNbNOZH 5anZqEuUOMpjyWYrClqvc/l2L3Hzk4s99moKqiKVQkUd+6MLGrrj7oDAag/IEINQ TZIZp+Kfrmgzlc/C8GQNjAbwyck52iNsMYTd2WkRT6SssooKI/Ru8+5EaEbLeeq1 TEO88iGzPy+g28wrcVYaNaUdHY8i/A== =gxkM -----END PGP SIGNATURE-----

CVE-2021-41003

A flaw was found in the way HAProxy processed HTTP responses containing the "Set-Cookie2" header. This flaw could allow an attacker to send crafted HTTP response packets which lead to an infinite loop, eventually resulting in a denial of service condition. The highest threat from this vulnerability is availability.

**Red Hat Product Security Center**

Engage with our Red Hat Product Security team, access security updates, and ensure your environments are not exposed to any known security vulnerabilities.

Product Security Center

CVE-2022-0711: Red Hat Customer Portal - Access to 24x7 support and knowledge

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2022-004 CVE: CVE-2021-41000, CVE-2021-41001, CVE-2021-41002, CVE-2021-41003, CVE-2021-3712, CVE-2002-20001, CVE-2017-6168, CVE-2017-17382, CVE-2017-17427, CVE-2017-17428, CVE-2017-12373, CVE-2017-13098, CVE-2017-1000385, CVE-2017-13099, CVE-2016-6883, CVE-2012-5081 Publication Date: Feb 22 2022 Status: Confirmed Severity: High Revision: 1 Title ===== AOS-CX Switches Multiple Vulnerabilities Overview ======== Aruba has released updates for wired switch products running AOS-CX that address multiple security vulnerabilities. Affected Products ================= These vulnerabilities affect Aruba 4100i,6100,6200,6300, 6400,8320,8325,8360, and 8400 model switches running the following version of the AOS-CX firmware: - AOS-CX 10.06.xxxx: 10.06.0170 and below - AOS-CX 10.07.xxxx: 10.07.0050 and below - AOS-CX 10.08.xxxx: 10.08.1030 and below - AOS-CX 10.09.xxxx: 10.09.0002 and below Not all vulnerabilities in this advisory affect all AOS-CX branches. If an AOS-CX branch is not listed as affected, it means that any AOS-CX version in that given branch is not affected. For example, the 10.06.xxxx branch is not affected by CVE-2021-41001 and the 10.09.xxxx branch is not affected by CVE-2021-3712. The following unsupported branches of AOS-CX software were not validated and may contain these vulnerabilities: - AOS-CX 10.05.xxxx and below Unaffected Products =================== Any other Aruba products not listed above, including Aruba Intelligent Edge Switches and HPE OfficeConnect Switches are not affected by these vulnerabilities. Details ======= Multiple Authenticated Remote Code Execution in AOS-CX Command Line Interface (CVE-2021-41000) --------------------------------------------------------------------- Multiple vulnerabilities exist in the AOS-CX command line interface that could lead to authenticated command injection. Successful exploitation of these vulnerabilities could result in the ability to execute arbitrary commands as a privileged user on the underlying operating system. This allows an attacker to fully compromise the underlying operating system on the device running AOS-CX. Internal references: ATLAX-27, ATLAX-28, ATLAX-38 Severity: High CVSSv3 Overall Score: 8.8 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Erik de Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program. Affected Versions: AOS-CX 10.06.xxxx: 10.06.0170 and below AOS-CX 10.07.xxxx: 10.07.0020 and below AOS-CX 10.08.xxxx: 10.08.0001 and below Resolved Versions: AOS-CX 10.06.xxxx: 10.06.0180 and above AOS-CX 10.07.xxxx: 10.07.0030 and above AOS-CX 10.08.xxxx: 10.08.0010 and above AOS-CX 10.09.xxxx: 10.09.0001 and above Diffie-Hellman Key Agreement Protocol Vulnerability (CVE-2002-20001) --------------------------------------------------------------------- The Diffie-Hellman Key Agreement Protocol allows remote attackers (from the client side) to send arbitrary numbers that are actually not public keys and trigger expensive server-side DHE modular-exponentiation calculations, aka a D(HE)ater attack. Successful exploitation of this vulnerability can lead to a denial of service on the AOS-CX switch. Internal Reference: ATLAX-51 Severity: High CVSS Score: 7.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Discovery: This vulnerability was discovered and reported by Jean-francois Raymond and Anton Stiglic. Please see the following link for more details: https://www.researchgate.net/publication/2401745\_Security\_Issues\_in\_the\_Diffie-Hellman\_Key\_Agreement\_Protocol Affected Versions: AOS-CX 10.06.xxxx: 10.06.0170 and below AOS-CX 10.07.xxxx: 10.07.0050 and below AOS-CX 10.08.xxxx: 10.08.1030 and below AOS-CX 10.09.xxxx: 10.09.0002 and below Resolved Versions: AOS-CX 10.06.xxxx: 10.06.0180 and above AOS-CX 10.07.xxxx: 10.07.0061 and above AOS-CX 10.08.xxxx: 10.08.1040 and above AOS-CX 10.09.xxxx: 10.09.0010 and above Authenticated Read Buffer Overruns Processing ASN.1 Strings in AOS-CX (CVE-2021-3712) --------------------------------------------------------------------- A vulnerability exists which allows an authenticated attacker to access sensitive information on the AOS-CX web-based management interface. Successful exploitation allows an attacker to gain access to some data in a cleartext format possibly exposing other network infrastructure to further compromise. Internal references: ATLAX-39 Severity: High CVSSv3 Overall Score: 7.4 CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H Discovery: This vulnerability was discovered and reported by Ingo Schwarze. Affected Versions: AOS-CX 10.06.xxxx: 10.06.0170 and below AOS-CX 10.07.xxxx: 10.07.0050 and below AOS-CX 10.08.xxxx: 10.08.1030 and below Resolved Versions: AOS-CX 10.06.xxxx: 10.06.0180 and above AOS-CX 10.07.xxxx: 10.07.0061 and above AOS-CX 10.08.xxxx: 10.08.1040 and above AOS-CX 10.09.xxxx: 10.09.0001 and above Authenticated Remote Code Execution in AOS-CX Network Analytics Engine(NAE) (CVE-2021-41001) -------------------------------------------------------------------- Authenticated command injection vulnerabilities exist in the AOS-CX Network Analytics Engine via NAE scripts. Successful exploitation of these vulnerabilities result in the ability to execute arbitrary commands as a privileged user on the underlying operating system, leading to a complete compromise of the switch running AOS-CX. Internal references: ATLAX-37 Severity: High CVSSv3 Overall Score: 7.2 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Erik de Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program. Affected Versions: AOS-CX 10.07.xxxx: 10.07.0050 and below AOS-CX 10.08.xxxx: 10.08.1030 and below AOS-CX 10.09.xxxx: 10.09.0002 and below Resolved Versions: AOS-CX 10.07.xxxx: 10.07.0061 and above AOS-CX 10.08.xxxx: 10.08.1040 and above AOS-CX 10.09.xxxx: 10.09.0010 and above Multiple Unauthenticated Command Injection Vulnerabilities in AOS-CX API Interface (CVE-2021-41003) --------------------------------------------------------------------- Vulnerabilities in the web-based management interface API of AOS-CX that could allow an unauthenticated remote attacker to conduct Cross Site Scripting(XSS) and HTML injection attacks. It would allow an attacker to execute arbitrary code in a victim's browser. Internal Reference: ATLAX-50 Severity: Medium CVSS Score: 6.1 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Discovery: This vulnerability was discovered and reported by mooimacow (bugcrowd.com/mooimacow) via Aruba's Bug Bounty Program. Affected Versions: AOS-CX 10.06.xxxx: 10.06.0170 and below AOS-CX 10.07.xxxx: 10.07.0050 and below AOS-CX 10.08.xxxx: 10.08.1030 and below AOS-CX 10.09.xxxx: 10.09.0002 and below Resolved Versions: AOS-CX 10.06.xxxx: 10.06.0180 and above AOS-CX 10.07.xxxx: 10.07.0061 and above AOS-CX 10.08.xxxx: 10.08.1040 and above AOS-CX 10.09.xxxx: 10.09.0010 and above Return Of Bleichenbacher's Oracle Threat (CVE-2017-6168, CVE-2017-17382, CVE-2017-17427, CVE-2017-17428, CVE-2017-12373, CVE-2017-13098, CVE-2017-1000385, CVE-2017-13099, CVE-2016-6883, CVE-2012-5081) -------------------------------------------------------------------- A vulnerability exists within AOS-CX's cryptographic library that provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange is negotiated. An attacker may be able to recover private keys for X.509 certificates. This vulnerability is referred to as "ROBOT." Please see the following link for more details: https://robotattack.org/ Internal references: ATLAX-36 Severity: Medium CVSSv3 Overall Score: 5.9 CVSS Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Discovery: This vulnerability was discovered and reported by Hanno Böck, Juraj Somorovsky, and Craig Young. Affected Versions: AOS-CX 10.06.xxxx: 10.06.0120 and below AOS-CX 10.07.xxxx: 10.07.0009 and below Resolved Versions: AOS-CX 10.06.xxxx: 10.06.0130 and above AOS-CX 10.07.xxxx: 10.07.0010 and above AOS-CX 10.08.xxxx: 10.08.0001 and above Multiple Authenticated Remote Path Traversal AOS-CX Command Line Interface (CVE-2021-41002) --------------------------------------------------------------------- Multiple authenticated path traversal vulnerabilities exist in the AOS-CX command line interface. Successful exploitation of this vulnerability could result in the ability to impact the integrity of critical files on the underlying operating system. This allows an attacker to impact the availability of the AOS-CX switch and may allow for modification of sensitive data. Internal references: ATLAX-33, ATLAX-34 Severity: Medium CVSSv3 Overall Score: 5.5 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L Discovery: These vulnerabilities were discovered and reported by Erik de Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program. Affected Versions: AOS-CX 10.06.xxxx: 10.06.0170 and below AOS-CX 10.07.xxxx: 10.07.0050 and below AOS-CX 10.08.xxxx: 10.08.1030 and below AOS-CX 10.09.xxxx: 10.09.0002 and below Resolved Versions: AOS-CX 10.06.xxxx: 10.06.0180 and above AOS-CX 10.07.xxxx: 10.07.0061 and above AOS-CX 10.08.xxxx: 10.08.1040 and above AOS-CX 10.09.xxxx: 10.09.0010 and above Resolution ========== The vulnerabilities contained in this advisory can be addressed by patching or upgrading to one of the versions listed below - - AOS-CX 10.06.xxxx: 10.06.0180 and above - - AOS-CX 10.07.xxxx: 10.07.0061 and above - - AOS-CX 10.08.xxxx: 10.08.1040 and above - - AOS-CX 10.09.xxxx: 10.09.0010 and above Aruba recommends that users using the following branches upgrade to 10.06.0180 and above to address these vulnerabilities: - - AOS-CX 10.05.xxxx and below None of the above branch versions will address the UEFI vulnerabilities mentioned in ARUBA-PSA-2022-001. Workaround ========== None. Exploitation and Public Discussion ================================== Aruba is not aware of any public discussion or exploit code that target these specific vulnerabilities as of the release date of the advisory. Revision History ================ Revision 1 / 2022-Feb-22/ Initial release Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at: http://www.arubanetworks.com/support-services/security-bulletins/ For reporting \*NEW\* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: http://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2022 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmIKeYAACgkQmP4JykWF htlHIwf/Wg7bLFjwR2I8B4AW27g5ZF7+kZDANC0fDcGbIump0Vk9kYpixZFV0PC6 emZ1HG+CMnlzJC/tSiTTUZF4+aDwJlJgtX3la4Em/bZGhFZoAc0YyM4p9U8QZ+fw KUqa5OklYZ7dWqQfcJMQuRfJwAx+gBnSG6hYf5dOarAxNNWYJpDvPWzQ6YNbNOZH 5anZqEuUOMpjyWYrClqvc/l2L3Hzk4s99moKqiKVQkUd+6MLGrrj7oDAag/IEINQ TZIZp+Kfrmgzlc/C8GQNjAbwyck52iNsMYTd2WkRT6SssooKI/Ru8+5EaEbLeeq1 TEO88iGzPy+g28wrcVYaNaUdHY8i/A== =gxkM -----END PGP SIGNATURE-----

Potential vulnerabilities have been identified in the BIOS for some HP PC products which may allow denial of service.

Potential vulnerabilities have been identified in the BIOS for some HP PC products which may allow denial of service. HP is releasing mitigation for the potential vulnerabilities.

Severity

High

HP Reference

HPSBHF03775 Rev. 1

Release date

February 28, 2022

Last updated

February 28, 2022

Category

PC

Potential Security Impact

Denial of Service

**Relevant Common Vulnerabilities and Exposures (CVE) List**

Reported by Assaf Carlsbad and Itai Liba of SentinelOne

List of CVE IDs    

CVE ID

Base Score

Base Vector

Vendor ID

CVE-2022-23956

8.2

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

HP

CVE-2022-23953

7.9

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H

HP

CVE-2022-23954

7.9

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H

HP

CVE-2022-23955

7.9

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H

HP

CVE-2022-23957

7.9

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H

HP

CVE-2022-23958

7.9

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H

HP

Learn more about CVSS 3.1 base metrics, which range from 0 to 10.

PSR-2021-0130

**Resolution**

HP has identified affected platforms and corresponding SoftPaqs with minimum versions that mitigate the potential vulnerabilities. See the affected platforms listed below.

Newer versions may become available, and the minimum versions listed below may become obsolete.  If a SoftPaq Link becomes invalid, check the HP Customer Support - Software and Driver Downloads site to obtain the latest update for your product model.

HP recommends keeping your system up to date with the latest firmware and software.

Note:

This bulletin might be updated when new information and/or SoftPaqs are available. Sign up for HP Subscriptions to be notified and receive:

*   Product support eAlerts
    
*   Driver updates
    
*   Security Bulletin updates
    

**SoftPaqs and affected products**

Find the SoftPaqs that resolve the vulnerabilities of your system.

SoftPaq Status

*   **Pending**: SoftPaq is in progress.
    
*   **Under investigation**: System under investigation for impact, or the SoftPaq is under investigation for feasibility/availability.
    
*   **Not available**: SoftPaq not available due to technical or logistical constraints.
    
*   **Check Support Page**: The listed SoftPaq has been removed from the download site. SoftPaqs with newer versions may be available on the HP Customer Support - Software and Driver Downloads site.
    

**Affected products**

Identify the affected products by category of PC.

**Business Notebook PCs**

Pending

**Business Desktop PCs**

Pending

**Retail Point-of-Sale Systems**

Pending

**Workstations**

Under Investigation

**Thin Client PCs**

Under Investigation

**Revision history**

This document has been revised according to the information below.

List of versions   

Version

Description

Date

1

Initial Release

February 28, 2022

**Additional information**

Follow these links for additional information.

Third-party security patches

Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.

Support

For issues about implementing the recommendations of this Security Bulletin, visit http://www.hp.com/go/contacthp to learn about your HP support options.

Report

To report a potential security vulnerability with any HP supported product, send email to: hp-security-alert@hp.com.

Subscribe

To initiate a subscription to receive future HP Security Bulletin alerts via email, visit https://h41369.www4.hp.com/alerts-signup.php?lang=en&cc=US&jumpid=hpsc\_profile.

Security bulletin archive

To view released Security Bulletins, visit https://support.hp.com/security-bulletins.

It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.

Download HP’s security-alert PGP key

**Legal information**

System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.

HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Security Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Security Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement.

© Copyright 2022 HP Development Company, L.P.

HP Inc. (HP) shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. "HP Inc.," "HP" and the names of HP products referenced herein are trademarks of HP Inc. or its affiliates in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.

CVE-2022-23956: HP PC BIOS February 2022 Security Update

IBM AIX 7.1, 7.2, 7.3, and VIOS 3.1 could allow a non-privileged local user to exploit a vulnerability in CAA to cause a denial of service. IBM X-Force ID: 220394.

CVE-2022-22350: IBM X-Force Exchange

IBM AIX 7.1, 7.2, 7.3, and VIOS 3.1 could allow a non-privileged local user to exploit a vulnerability in the AIX kernel to cause a denial of service. IBM X-Force ID: 213076.

**Security Bulletin**

  

**Summary**

There are multiple vulnerabilities in AIX CAA.

**Vulnerability Details**

**Affected Products and Versions**

Affected Product(s)

Version(s)

AIX

7.1

AIX

7.2

AIX

7.3

VIOS

3.1

The vulnerabilities in the following filesets are being addressed:

Fileset

Lower Level

Upper Level

bos.cluster.rte

7.1.5.0

7.1.5.38

bos.cluster.rte

7.2.4.0

7.2.4.4

bos.cluster.rte

7.2.5.0

7.2.5.1

bos.cluster.rte

7.2.5.100

7.2.5.101

bos.cluster.rte

7.3.0.0

7.3.0.0

To find out whether the affected filesets are installed on your systems, refer to the lslpp command found in AIX user's guide.

Example:  lslpp -L | grep -i bos.cluster.rte

  

**Remediation/Fixes**

**A. APARS**

IBM has assigned the following APARs to this problem:

AIX Level

APAR

SP

7.1.5

IJ37355

SP10

7.2.4

IJ37496

SP06

7.2.5

IJ36682

SP04

7.3.0

IJ36596

SP02

 

VIOS Level

APAR

SP

3.1.1

IJ37496

3.1.1.60

3.1.2

IJ37512

3.1.2.40

3.1.3

IJ36682

3.1.3.20

Subscribe to the APARs here:

By subscribing, you will receive periodic email alerting you to the status of the APAR, and a link to download the fix once it becomes available.

**B. FIXES**

AIX and VIOS fixes are available.

An LPAR system reboot is required to complete the iFix installation, or Live Update may be used on AIX 7.2 and 7.3 to avoid a reboot.

The AIX and VIOS fixes can be downloaded via ftp or http from:

The link above is to a tar file containing this signed advisory, fix packages, and OpenSSL signatures for each package. The fixes below include prerequisite checking. This will enforce the correct mapping between the fixes and AIX Technology Levels.

AIX Level

Interim Fix

7.1.5.7

IJ37355s7a.220228.epkg.Z

7.1.5.8

IJ37355s8a.220228.epkg.Z

7.1.5.9

IJ37355s9a.220228.epkg.Z

7.1.5.9

IJ37355s9b.220228.epkg.Z

7.2.4.3

IJ37496s3a.220228.epkg.Z

7.2.4.4

IJ37496s4a.220228.epkg.Z

7.2.4.5

IJ37496s5a.220228.epkg.Z

7.2.5.1

IJ37512s1a.220228.epkg.Z

7.2.5.2

IJ37512s2a.220228.epkg.Z

7.2.5.3

IJ36682s3a.220228.epkg.Z

7.2.5.3

IJ36682s3b.220228.epkg.Z

7.3.0.1

IJ36596s1a.220228.epkg.Z

Please note that the above table refers to AIX TL/SP level as opposed to fileset level, i.e., 7.2.5.2 is AIX 7200-05-02.

NOTE:  Multiple iFixes are provided for AIX 7100-05-09 and 7200-05-03.

IJ37355s9a is for AIX 7100-05-09 with bos.cluster.rte fileset level 7.1.5.38.

IJ37355s9b is for AIX 7100-05-09 with bos.cluster.rte fileset level 7.1.5.37.

IJ36682s3a is for AIX 7200-05-03 with bos.cluster.rte fileset level 7.2.5.101.

IJ36682s3b is for AIX 7200-05-03 with bos.cluster.rte fileset level 7.2.5.100.

Please reference the Affected Products and Version section above for help with checking installed fileset levels.

VIOS Level

Interim Fix

3.1.1.30

IJ37496s3a.220228.epkg.Z

3.1.1.40

IJ37496s4a.220228.epkg.Z

3.1.1.50

IJ37496s5a.220228.epkg.Z

3.1.2.10

IJ37512s1a.220228.epkg.Z

3.1.2.21

IJ37512s2a.220228.epkg.Z

3.1.3.10

IJ36682s3b.220228.epkg.Z

3.1.3.14

IJ36682s3a.220228.epkg.Z

To extract the fixes from the tar file:

tar xvf caa\_fix2.tar

cd caa\_fix2

Verify you have retrieved the fixes intact:

The checksums below were generated using the "openssl dgst -sha256 \[filename\]" command as the following:

openssl dgst -sha256

filename

6e45651c382f9915771c9714b994d26a783a8caecb8e3c8b3350d981aee7349b

IJ36596s1a.220228.epkg.Z

88a2f0bcc4b7676eab0db362fd885d360ad3a38104edbe7bed1e4c79a56be30d

IJ36682s3a.220228.epkg.Z

a81847ca47786818db8dce79f4a982c285815f561e2c9e8630840c229a27d381

IJ36682s3b.220228.epkg.Z

b4efa8234dc00c91148c75ec25e1c5fd3cd96ec691131ece6e458e5c33591335

IJ37355s7a.220228.epkg.Z

e141352471d842585e176bfb3ccc27289620b63de96478cca7688f4851841023

IJ37355s8a.220228.epkg.Z

9440584798abfa576e4e90287847f22cc9019281a213f1d289df330e75e77b56

IJ37355s9a.220228.epkg.Z

4d77a4e7fd8cd356deda29d6ff9a5996912ebd22e0898ede34725220d8df2577

IJ37355s9b.220228.epkg.Z

991ac1e17a4dd3b20feb44162b3f04a9dcda8cb2acce398e09c520b5871ccff3

IJ37496s3a.220228.epkg.Z

a0a24034a8a2fc3f2fa4ed8e5b05da045587300708812fe5c796a41b87b8e855

IJ37496s4a.220228.epkg.Z

2f74bee159291cec6944f8b522dbbf086f01b65a30da76595773b5851008c0ba

IJ37496s5a.220228.epkg.Z

95086a37dbf91e218f145c172cf2ca39029dfbecb00f072d4a36887f91536551

IJ37512s1a.220228.epkg.Z

9e2ecbbe30354bdd275679ac9e22ec7ca0dfb8a87cbe73f46767422b90206afd

IJ37512s2a.220228.epkg.Z

These sums should match exactly. The OpenSSL signatures in the tar file and on this advisory can also be used to verify the integrity of the fixes.  If the sums or signatures cannot be confirmed, contact IBM Support at http://ibm.com/support/ and describe the discrepancy.         

openssl dgst -sha256 -verify \[pubkey\_file\] -signature \[advisory\_file\].sig \[advisory\_file\]

openssl dgst -sha256 -verify \[pubkey\_file\] -signature \[ifix\_file\].sig \[ifix\_file\]

Published advisory OpenSSL signature file location:

**C. FIX AND INTERIM FIX INSTALLATION**

An LPAR system reboot is required to complete the iFix installation, or Live Update may be used on AIX 7.2 and 7.3 to avoid a reboot.

If possible, it is recommended that a mksysb backup of the system be created. Verify it is both bootable and readable before proceeding.

To preview a fix installation:

installp -a -d fix\_name -p all  # where fix\_name is the name of the

                                            # fix package being previewed.

To install a fix package:

installp -a -d fix\_name -X all  # where fix\_name is the name of the

                                            # fix package being installed.

Interim fixes have had limited functional and regression testing but not the full regression testing that takes place for Service Packs; however, IBM does fully support them.

Interim fix management documentation can be found at:

To preview an interim fix installation:

emgr -e ipkg\_name -p         # where ipkg\_name is the name of the

                                         # interim fix package being previewed.

To install an interim fix package:

emgr -e ipkg\_name -X         # where ipkg\_name is the name of the

                                         # interim fix package being installed.

**Workarounds and Mitigations**

None

**References**

Off

**Change History**

01 Mar 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU048","label":"Systems w\\/TPS"},"Product":{"code":"SSSMHJ","label":"PowerVM Virtual I\\/O Server"},"Component":"","Platform":\[{"code":"PF002","label":"AIX"}\],"Version":"3.1","Edition":""},{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"Component":"","Platform":\[{"code":"PF002","label":"AIX"}\],"Version":"7.1,7.2,7.3","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}}\]

Tag

#dos