PRODUCT SECURITY ANNOUNCEMENT

AEROHIVE’S RESPONSE TO HIVEMANAGER 6.1r3a AND LOWER ARE VULNERABLE TO CVE-2013-2251


Release Date

11 August 2014

SUMMARY

HiveManager (both on-premises and HMOL) version 6.1r3a and lower are vulnerable to CVE-2013-2251, and should be upgraded immediately to version 6.1r5 or later. A vulnerability within a component used in HiveManager, the Struts2 framework, allows unauthenticated attackers to execute arbitrary OGNL expressions on the target host, and possibly to gain root access. Aerohive has made available version 6.1r6a for immediate upgrade to address the vulnerabilities.

AFFECTED PRODUCTS AND VERSIONS

Aerohive HiveManager (both on-premises and HiveManager Online), versions 6.1r3a and lower.

DETAILS

In late May 2014 a security researcher brought to Aerohive’s attention a potential security vulnerability in HiveManager. After investigation, Aerohive concluded the vulnerabilities are in a component (Apache Struts2) used by Aerohive HiveManager and HiveManager OnLine, and the MyHive portal. The vulnerability in the MyHive portal was fixed immediately, and forensic analysis indicated the MyHive portal had not been breached. The limited-availability HiveManager 6.1r5 was determined to not be vulnerable. Apache Struts2 is a Java web application framework used by Aerohive HiveManager and HiveManager OnLine, and the MyHive portal. Struts version (2.3.4.1) was used in HM 6.1r3a and earlier. CVE-2013-2251 affects Struts2 versions 2.0.0 thru 2.3.15.1. HiveManager version 6.1r5 uses Struts2 version 2.3.15.3. Aerohive began to automatically upgrade all HMOL accounts to 6.1r6 starting on 7 July 2014, and has now concluded those upgrades.

DISCOVERY

This vulnerability was originally reported to Aerohive by, and we extend our thanks to, Jacco van Tuijl.

IMPACT

May allow unauthorized disclosure of information; May allow unauthorized modification; May allow disruption of service.

CVSS v2 Base Score: 9.3 (HIGH) (AV:N/AC:M/AU:N/C:C/I:C/A:C)

MITIGATION

On-premises HiveManager customers should immediately upgrade to HiveManager version 6.1r6a. HiveManager Online customers have been automatically upgraded as quickly as Aerohive could perform those upgrades. As always, Aerohive recommends that you follow best security practices, including reduction of possible attack surface areas by use of access control methods such as network-level ACLs to restrict access.

STATUS OF THIS NOTICE: Final

Although Aerohive cannot guarantee the accuracy of all statements in this advisory, all of the facts have been checked to the best of our ability. Aerohive does not anticipate issuing updated versions of this advisory unless there is some material change in the facts. Should there be a significant change in the facts, Aerohive may update this advisory.

A stand-alone copy or paraphrase of the text of this security advisory that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.

DISTRIBUTION OF THIS ANNOUNCEMENT

This advisory will be posted on Aerohive’s website at:

http://www.aerohive.com/support/security-center/security-bulletins

Future updates of this advisory, if any, will be placed on Aerohive’s worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates.

REVISION HISTORY

Revision 1.0 / 2014-08-11 / Final release

AEROHIVE PSIRT SECURITY PROCEDURES

Complete information on reporting security vulnerabilities in Aerohive products, obtaining assistance with security incidents is available at

http://www.aerohive.com/support/security-center

For reporting *NEW* Aerohive security issues, email can be sent to security(at)aerohive.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at http://www.aerohive.com/support/security-center

© Copyright 2017 Aerohive, Inc.
This advisory may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, including all date and version information.