HPE subsidiary Aruba Networks has issued another critical-severity security advisory on the heals of the TLStorm 2.0 vulnerability

Vulnerabilities exist in ClearPass Policy Manager 6.10.4, 6.10.x patch series, 6.9.9i, 6.9.x patch series, 6.8.9-HF2 and in the 6.8.x patch series

The security issues relate to its ClearPass access control policy software.

The ClearPass Web Based Management Interface can be used to allow an unauthenticated remote attacker to execute arbitrary commands on the machine where the software is installed.

The advisory stated successful exploitation of these vulnerabilities allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise

Aruba Networks alert lists a total of 21 bugs. The bugs were reported through the company’s bug bounty program by Daniel Jenson

Common Vulnerabilities and Exposures (CVE) numbers have been assigned.

The first three – CVE-2022-23657, CVE-2022-23658 and CVE-2022-23660 – were marked to be CVE numbers that needed to be prioritised and urgent attention was required.

Fixes have been published for all supported versions of the software.