Article Details

HPE Aruba Networking fixes four critical RCE flaws in ArubaOS. HPE Aruba Networking has issued its April 2024 security advisory detailing critical remote code execution (RCE) vulnerabilities impacting multiple versions of ArubaOS, its proprietary network operating system. The advisory lists ten vulnerabilities, four of which are critical-severity (CVSS v3.1: 9.8) unauthenticated buffer overflow problems that can lead to remote code execution (RCE). Products impacted by the newly disclosed flaws are: The four critical remote code execution flaws are:  To mitigate the flaws the vendor recommends enabling Enhanced PAPI Security and upgrading to patched versions for ArubaOS. The latest versions also address another six vulnerabilities, all rated "medium" in severity (CVSS v3.1: 5.3 – 5.9) which could allow unauthenticated attackers to create denial of service on vulnerable devices and cause costly operational disruptions. The target upgrade versions that address all ten flaws are: At this time, HPE Aruba Networking is not aware of any cases of active exploitation or the existence of proof-of-concept (PoC) exploits for the mentioned vulnerabilities. Still, system administrators are recommended to apply the available security updates as soon as possible.