[security bulletin] HPESBHF03723 rev.1 - HPE Aruba ClearPass Policy Manager, using Apache Struts, Remote Code Execution

LS0tLS1CRUdJTiBQR1AgU0lHTkVEIE1FU1NBR0UtLS0tLQpIYXNoOiBTSEEyNTYKCk5v
dGU6IHRoZSBjdXJyZW50IHZlcnNpb24gb2YgdGhlIGZvbGxvd2luZyBkb2N1bWVudCBp
cyBhdmFpbGFibGUgaGVyZToNCmh0dHBzOi8vaDIwNTY0Lnd3dzIuaHBlLmNvbS9ocHNj
L2RvYy9wdWJsaWMvZGlzcGxheT9kb2NJZD1lbXJfbmEtaHBlc2JoZjAzNzIzZW5fdXMN
Cg0KU1VQUE9SVCBDT01NVU5JQ0FUSU9OIC0gU0VDVVJJVFkgQlVMTEVUSU4NCg0KRG9j
dW1lbnQgSUQ6IGhwZXNiaGYwMzcyM2VuX3VzDQpWZXJzaW9uOiAxDQoNCkhQRVNCSEYw
MzcyMyByZXYuMSAtIEhQRSBBcnViYSBDbGVhclBhc3MgUG9saWN5IE1hbmFnZXIsIHVz
aW5nIEFwYWNoZSBTdHJ1dHMsDQpSZW1vdGUgQ29kZSBFeGVjdXRpb24NCg0KTk9USUNF
OiBUaGUgaW5mb3JtYXRpb24gaW4gdGhpcyBTZWN1cml0eSBCdWxsZXRpbiBzaG91bGQg
YmUgYWN0ZWQgdXBvbiBhcw0Kc29vbiBhcyBwb3NzaWJsZS4NCg0KUmVsZWFzZSBEYXRl
OiAyMDE3LTAzLTI5DQpMYXN0IFVwZGF0ZWQ6IDIwMTctMDMtMjkNCg0KUG90ZW50aWFs
IFNlY3VyaXR5IEltcGFjdDogUmVtb3RlOiBDb2RlIEV4ZWN1dGlvbg0KDQpTb3VyY2U6
IEhld2xldHQgUGFja2FyZCBFbnRlcnByaXNlLCBQcm9kdWN0IFNlY3VyaXR5IFJlc3Bv
bnNlIFRlYW0NCg0KVlVMTkVSQUJJTElUWSBTVU1NQVJZDQpBIHBvdGVudGlhbCBzZWN1
cml0eSB2dWxuZXJhYmlsaXR5IGhhcyBiZWVuIGlkZW50aWZpZWQgaW4gSFBFIEFydWJh
IENsZWFyUGFzcw0KUG9saWN5IE1hbmFnZXIuIFRoZSB2dWxuZXJhYmlsaXR5IGNvdWxk
IGJlIHJlbW90ZWx5IGV4cGxvaXRlZCB0byBhbGxvdw0KZXhlY3V0aW9uIG9mIGNvZGUu
IA0KDQoqKk5vdGU6KiogVGhlIENsZWFyUGFzcyBQb2xpY3kgTWFuYWdlciBhZG1pbmlz
dHJhdGl2ZSBXZWIgaW50ZXJmYWNlIGlzDQphZmZlY3RlZCBieSB0aGUgdnVsbmVyYWJp
bGl0eS4gQ2xlYXJQYXNzIEd1ZXN0LCBJbnNpZ2h0LCBhbmQgR3JhcGhpdGUgYXJlIE5P
VA0KaW1wYWN0ZWQuDQoNClJlZmVyZW5jZXM6DQoNCiAgLSBDVkUtMjAxNy01NjM4IC0g
QXBhY2hlIFN0cnV0cywgcmVtb3RlIGNvZGUgZXhlY3V0aW9uDQoNClNVUFBPUlRFRCBT
T0ZUV0FSRSBWRVJTSU9OUyo6IE9OTFkgaW1wYWN0ZWQgdmVyc2lvbnMgYXJlIGxpc3Rl
ZC4NCg0KICAtIEFydWJhIENsZWFyUGFzcyBQb2xpY3kgTWFuYWdlciBBbGwgdmVyc2lv
bnMgcHJpb3IgdG8gNi42LjUNCg0KQkFDS0dST1VORA0KDQogIENWU1MgQmFzZSBNZXRy
aWNzDQogID09PT09PT09PT09PT09PT09DQogIFJlZmVyZW5jZSwgQ1ZTUyBWMyBTY29y
ZS9WZWN0b3IsIENWU1MgVjIgU2NvcmUvVmVjdG9yDQoNCiAgICBDVkUtMjAxNy01NjM4
DQogICAgICA5LjQgQ1ZTUzozLjAvQVY6Ti9BQzpML1BSOk4vVUk6Ti9TOlUvQzpIL0k6
SC9BOkwNCiAgICAgIDkuNyAoQVY6Ti9BQzpML0F1Ok4vQzpDL0k6Qy9BOlApDQoNCiAg
ICBJbmZvcm1hdGlvbiBvbiBDVlNTIGlzIGRvY3VtZW50ZWQgaW4NCiAgICBIUEUgQ3Vz
dG9tZXIgTm90aWNlIEhQU04tMjAwOC0wMDIgaGVyZToNCg0KaHR0cHM6Ly9oMjA1NjQu
d3d3Mi5ocGUuY29tL2hwc2MvZG9jL3B1YmxpYy9kaXNwbGF5P2RvY0lkPWVtcl9uYS1j
MDEzNDU0OTkNCg0KUkVTT0xVVElPTg0KDQpIUEUgQXJ1YmEgaGFzIHByb3ZpZGVkIGhv
dGZpeGVzIGZvciBDbGVhclBhc3MgNi42LjUsIDYuNi40LCBhbmQgNi41LjcuIFVzZQ0K
b25lIG9mIHRoZSBmb2xsb3dpbmcgbWV0aG9kcyB0byBpbnN0YWxsIHRoZSBhcHByb3By
aWF0ZSBob3RmaXg6DQoNCkluc3RhbGwgdGhlIEhvdGZpeCBPbmxpbmUgVXNpbmcgdGhl
IFNvZnR3YXJlIFVwZGF0ZXMgUG9ydGFsOg0KIA0KICAgMS4gT3BlbiBDbGVhclBhc3Mg
UG9saWN5IE1hbmFnZXIgYW5kIGdvIHRvIEFkbWluaXN0cmF0aW9uIC0gQWdlbnRzIGFu
ZA0KU29mdHdhcmUNCiAgIFVwZGF0ZXMgLSBTb2Z0d2FyZSBVcGRhdGVzLiAgDQogICAN
CiAgIDIuIEluIHRoZSBGaXJtd2FyZSBhbmQgUGF0Y2ggVXBkYXRlcyBhcmVhLCBmaW5k
IHRoZSAiQ2xlYXJQYXNzIDYuNS43DQpIb3RmaXgNCiAgIFBhdGNoIGZvciBDVkUtMjAx
Ny01NjM4IiBvciAiQ2xlYXJQYXNzIDYuNi40IEhvdGZpeCBQYXRjaCBmb3INCkNWRS0y
MDE3LTU2MzgiDQogICBwYXRjaCBhbmQgY2xpY2sgdGhlIERvd25sb2FkIGJ1dHRvbiBp
biBpdHMgcm93LiANCiAgICANCiAgIDMuIENsaWNrIEluc3RhbGwuICANCiAgIA0KICAg
NC4gV2hlbiB0aGUgaW5zdGFsbGF0aW9uIGlzIGNvbXBsZXRlIGFuZCB0aGUgc3RhdHVz
IGlzIHNob3duIGFzICJOZWVkcw0KICAgUmVzdGFydCIsIHByb2NlZWQgdG8gcmVzdGFy
dCBDbGVhclBhc3MuIEFmdGVyIHJlYm9vdCwgdGhlIHN0YXR1cyBmb3IgdGhlDQogICBw
YXRjaCB3aWxsIGJlIHNob3duIGFzIEluc3RhbGxlZC4gVGhlIENsZWFyUGFzcyBQb2xp
Y3kgTWFuYWdlciB2ZXJzaW9uDQogICBudW1iZXIgd2lsbCBub3QgY2hhbmdlLiAgDQoN
CiAgIA0KSW5zdGFsbGluZyB0aGUgaG90Zml4IE9mZmxpbmUgVXNpbmcgdGhlIFBhdGNo
IEZpbGUgZnJvbQ0Kc3VwcG9ydC5hcnViYW5ldHdvcmtzLmNvbToNCiANCiAgIDEuIERv
d25sb2FkIHRoZSAiQ2xlYXJQYXNzIDYuNS43IEhvdGZpeCBQYXRjaCBmb3IgQ1ZFLTIw
MTctNTYzOCIgb3INCiAgICJDbGVhclBhc3MgNi42LjQgSG90Zml4IFBhdGNoIGZvciBD
VkUtMjAxNy01NjM4IiBwYXRjaCBmcm9tIHRoZSBTdXBwb3J0DQpzaXRlLg0KICAgICAN
CiAgIDIuIE9wZW4gdGhlIENsZWFyUGFzcyBQb2xpY3kgTWFuYWdlciBBZG1pbiBVSSBh
bmQgZ28gdG8gQWRtaW5pc3RyYXRpb24gLQ0KICAgQWdlbnRzIGFuZCBTb2Z0d2FyZSBV
cGRhdGVzIC0gU29mdHdhcmUgVXBkYXRlcy4gIA0KICAgMy4gQXQgdGhlIGJvdHRvbSBv
ZiB0aGUgRmlybXdhcmUgYW5kIFBhdGNoIFVwZGF0ZXMgYXJlYSwgY2xpY2sgSW1wb3J0
DQpVcGRhdGVzDQogICBhbmQgYnJvd3NlIHRvIHRoZSBkb3dubG9hZGVkIHBhdGNoIGZp
bGUuIFRoZSBuYW1lIGFuZCBkZXNjcmlwdGlvbiBvbmNlDQogICBpbXBvcnRlZCBtYXkg
ZGlmZmVyIGZyb20gdGhlIG5hbWUgYW5kIHJlbWFyayBvbiB0aGUgc3VwcG9ydCBzaXRl
DQogICBhcyB0aGVzZSB3ZXJlIGFkanVzdGVkIGFmdGVyIHBvc3RpbmcuIFRoaXMgaXMg
cHVyZWx5IGEgY29zbWV0aWMNCmRpc2NyZXBhbmN5LiAgDQogICANCiAgIDQuIENsaWNr
IEluc3RhbGwuICANCiAgIA0KICAgNS4gV2hlbiB0aGUgaW5zdGFsbGF0aW9uIGlzIGNv
bXBsZXRlIGFuZCB0aGUgc3RhdHVzIGlzIHNob3duIGFzIE5lZWRzDQpSZXN0YXJ0LA0K
ICAgcHJvY2VlZCB0byByZXN0YXJ0IENsZWFyUGFzcy4gQWZ0ZXIgcmVib290LCB0aGUg
c3RhdHVzIGZvciB0aGUgcGF0Y2ggd2lsbA0KICAgYmUgc2hvd24gYXMgSW5zdGFsbGVk
LiBUaGUgQ2xlYXJQYXNzIFBvbGljeSBNYW5hZ2VyIHZlcnNpb24gbnVtYmVyIHdpbGwN
CiAgIG5vdCBjaGFuZ2UuICANCg0KDQpXb3JrYXJvdW5kcw0KLSAtLS0tLS0tLS0tLSAN
ClJlc3RyaWN0IGFjY2VzcyB0byB0aGUgUG9saWN5IE1hbmFnZXIgQWRtaW4gV2ViIElu
dGVyZmFjZS4gVGhpcyBjYW4gYmUNCmFjY29tcGxpc2hlZCBieSBuYXZpZ2F0aW5nIHRv
IEFkbWluaXN0cmF0aW9uIC0gU2VydmVyIE1hbmFnZXIgLQ0KU2VydmVyIENvbmZpZ3Vy
YXRpb24gLSBTZXJ2ZXItTmFtZSAtIE5ldHdvcmsgLSBSZXN0cmljdCBBY2Nlc3MgYW5k
DQpvbmx5IGFsbG93aW5nIG5vbi1wdWJsaWMgb3IgbmV0d29yayBtYW5hZ2VtZW50IG5l
dHdvcmtzLg0KDQoqKk5vdGU6KiogUGxlYXNlIGNvbnRhY3QgSFBFIFRlY2huaWNhbCBT
dXBwb3J0IGlmIGFueSBhc3Npc3RhbmNlIGlzIG5lZWRlZA0KYWNxdWlyaW5nIHRoZSBz
b2Z0d2FyZSB1cGRhdGVzLg0KDQpISVNUT1JZDQpWZXJzaW9uOjEgKHJldi4xKSAtIDI5
IE1hcmNoIDIwMTcgSW5pdGlhbCByZWxlYXNlDQoNClRoaXJkIFBhcnR5IFNlY3VyaXR5
IFBhdGNoZXM6IFRoaXJkIHBhcnR5IHNlY3VyaXR5IHBhdGNoZXMgdGhhdCBhcmUgdG8g
YmUNCmluc3RhbGxlZCBvbiBzeXN0ZW1zIHJ1bm5pbmcgSGV3bGV0dCBQYWNrYXJkIEVu
dGVycHJpc2UgKEhQRSkgc29mdHdhcmUNCnByb2R1Y3RzIHNob3VsZCBiZSBhcHBsaWVk
IGluIGFjY29yZGFuY2Ugd2l0aCB0aGUgY3VzdG9tZXIncyBwYXRjaCBtYW5hZ2VtZW50
DQpwb2xpY3kuDQoNClN1cHBvcnQ6IEZvciBpc3N1ZXMgYWJvdXQgaW1wbGVtZW50aW5n
IHRoZSByZWNvbW1lbmRhdGlvbnMgb2YgdGhpcyBTZWN1cml0eQ0KQnVsbGV0aW4sIGNv
bnRhY3Qgbm9ybWFsIEhQRSBTZXJ2aWNlcyBzdXBwb3J0IGNoYW5uZWwuIEZvciBvdGhl
ciBpc3N1ZXMgYWJvdXQNCnRoZSBjb250ZW50IG9mIHRoaXMgU2VjdXJpdHkgQnVsbGV0
aW4sIHNlbmQgZS1tYWlsIHRvIHNlY3VyaXR5LWFsZXJ0QGhwZS5jb20uDQoNClJlcG9y
dDogVG8gcmVwb3J0IGEgcG90ZW50aWFsIHNlY3VyaXR5IHZ1bG5lcmFiaWxpdHkgZm9y
IGFueSBIUEUgc3VwcG9ydGVkDQpwcm9kdWN0Og0KICBXZWIgZm9ybTogaHR0cHM6Ly93
d3cuaHBlLmNvbS9pbmZvL3JlcG9ydC1zZWN1cml0eS12dWxuZXJhYmlsaXR5DQogIEVt
YWlsOiBzZWN1cml0eS1hbGVydEBocGUuY29tDQoNClN1YnNjcmliZTogVG8gaW5pdGlh
dGUgYSBzdWJzY3JpcHRpb24gdG8gcmVjZWl2ZSBmdXR1cmUgSFBFIFNlY3VyaXR5IEJ1
bGxldGluDQphbGVydHMgdmlhIEVtYWlsOiBodHRwOi8vd3d3LmhwZS5jb20vc3VwcG9y
dC9TdWJzY3JpYmVyX0Nob2ljZQ0KDQpTZWN1cml0eSBCdWxsZXRpbiBBcmNoaXZlOiBB
IGxpc3Qgb2YgcmVjZW50bHkgcmVsZWFzZWQgU2VjdXJpdHkgQnVsbGV0aW5zIGlzDQph
dmFpbGFibGUgaGVyZTogaHR0cDovL3d3dy5ocGUuY29tL3N1cHBvcnQvU2VjdXJpdHlf
QnVsbGV0aW5fQXJjaGl2ZQ0KDQpTb2Z0d2FyZSBQcm9kdWN0IENhdGVnb3J5OiBUaGUg
U29mdHdhcmUgUHJvZHVjdCBDYXRlZ29yeSBpcyByZXByZXNlbnRlZCBpbg0KdGhlIHRp
dGxlIGJ5IHRoZSB0d28gY2hhcmFjdGVycyBmb2xsb3dpbmcgSFBTQi4NCg0KM0MgPSAz
Q09NDQozUCA9IDNyZCBQYXJ0eSBTb2Z0d2FyZQ0KR04gPSBIUEUgR2VuZXJhbCBTb2Z0
d2FyZQ0KSEYgPSBIUEUgSGFyZHdhcmUgYW5kIEZpcm13YXJlDQpNVSA9IE11bHRpLVBs
YXRmb3JtIFNvZnR3YXJlDQpOUyA9IE5vblN0b3AgU2VydmVycw0KT1YgPSBPcGVuVk1T
DQpQViA9IFByb0N1cnZlDQpTVCA9IFN0b3JhZ2UgU29mdHdhcmUNClVYID0gSFAtVVgN
Cg0KQ29weXJpZ2h0IDIwMTYgSGV3bGV0dCBQYWNrYXJkIEVudGVycHJpc2UNCg0KSGV3
bGV0dCBQYWNrYXJkIEVudGVycHJpc2Ugc2hhbGwgbm90IGJlIGxpYWJsZSBmb3IgdGVj
aG5pY2FsIG9yIGVkaXRvcmlhbA0KZXJyb3JzIG9yIG9taXNzaW9ucyBjb250YWluZWQg
aGVyZWluLiBUaGUgaW5mb3JtYXRpb24gcHJvdmlkZWQgaXMgcHJvdmlkZWQNCiJhcyBp
cyIgd2l0aG91dCB3YXJyYW50eSBvZiBhbnkga2luZC4gVG8gdGhlIGV4dGVudCBwZXJt
aXR0ZWQgYnkgbGF3LCBuZWl0aGVyDQpIUCBvciBpdHMgYWZmaWxpYXRlcywgc3ViY29u
dHJhY3RvcnMgb3Igc3VwcGxpZXJzIHdpbGwgYmUgbGlhYmxlIGZvcg0KaW5jaWRlbnRh
bCxzcGVjaWFsIG9yIGNvbnNlcXVlbnRpYWwgZGFtYWdlcyBpbmNsdWRpbmcgZG93bnRp
bWUgY29zdDsgbG9zdA0KcHJvZml0czsgZGFtYWdlcyByZWxhdGluZyB0byB0aGUgcHJv
Y3VyZW1lbnQgb2Ygc3Vic3RpdHV0ZSBwcm9kdWN0cyBvcg0Kc2VydmljZXM7IG9yIGRh
bWFnZXMgZm9yIGxvc3Mgb2YgZGF0YSwgb3Igc29mdHdhcmUgcmVzdG9yYXRpb24uIFRo
ZQ0KaW5mb3JtYXRpb24gaW4gdGhpcyBkb2N1bWVudCBpcyBzdWJqZWN0IHRvIGNoYW5n
ZSB3aXRob3V0IG5vdGljZS4gSGV3bGV0dA0KUGFja2FyZCBFbnRlcnByaXNlIGFuZCB0
aGUgbmFtZXMgb2YgSGV3bGV0dCBQYWNrYXJkIEVudGVycHJpc2UgcHJvZHVjdHMNCnJl
ZmVyZW5jZWQgaGVyZWluIGFyZSB0cmFkZW1hcmtzIG9mIEhld2xldHQgUGFja2FyZCBF
bnRlcnByaXNlIGluIHRoZSBVbml0ZWQNClN0YXRlcyBhbmQgb3RoZXIgY291bnRyaWVz
LiBPdGhlciBwcm9kdWN0IGFuZCBjb21wYW55IG5hbWVzIG1lbnRpb25lZCBoZXJlaW4N
Cm1heSBiZSB0cmFkZW1hcmtzIG9mIHRoZWlyIHJlc3BlY3RpdmUgb3duZXJzLg0KLS0t
LS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjEKCmlRRWNC
QUVCQ0FBR0JRSlkzQlIvQUFvSkVMWGhBeHQ3U1phaU1XOEgvMCtqV0w0RXZrK0tlcVA3
YVlrMW1zR3AKOWloM0YyNjgwVnJIVnNVYlN6dWwzK3N2bmFXVEpVZ1JlN2ZVVHZzaC9R
NmJ4L0VvODZ5bzhpWEdqbXpFVEx0WQpjVHVRckhMeVNvNTVQd3VhOSs4OVY0ZTEzUWtS
dlEvVW1RUFlETVBFazlMN3d3VTlPRjBvQ3BYSFFCdVdudzA3Cm1LTFoxMkhhWnFNOHZK
WGd3Z0pGSDc3TWYzcjVUa0dGSHNyWjBNKzJ2dnhpb0pJRWZtV1YveDRlcXR2SXk2elMK
QzZDWDFNOXg0eEQ0NDJYY0ZmbkgwQkhBOVJMNkxPZVluZ1RQWVI3SUl5Y3Z6cHFkOGtP
V3VuanMzOCtJSnBGUgpnNDloby9OZGRlWmZES2RKY0lkZkorMGYzeDJoN0ZQaVZhZFh1
MVB6ZENja2hGSGtIbXJTbFZjUmJRWisxUjg9Cj04bGpJCi0tLS0tRU5EIFBHUCBTSUdO
QVRVUkUtLS0tLQo=