Print | Rate this content

Bulletin: Aruba Campus & Branch Networking - Side Channel Analysis Method Allows Improper Information Disclosure in Microprocessors (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754) aka "Meltdown" and "Spectre"

SUPPORT COMMUNICATION - CUSTOMER BULLETIN

Document ID: a00040976en_us

Version: 1

Bulletin: Aruba Campus & Branch Networking - Side Channel Analysis Method Allows Improper Information Disclosure in Microprocessors (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754) aka "Meltdown" and "Spectre"
NOTICE: The information in this document, including products and software versions, is current as of the Release Date. This document is subject to change without notice.

Release Date: 2018-02-02

Last Updated: 2018-02-05


DESCRIPTION

On January 3, 2018, side-channel security vulnerabilities involving speculative execution were publicly disclosed. These vulnerabilities may impact the listed Aruba Campus & Branch Comware Network products, potentially leading to information disclosure and elevation of privilege. Product specific mitigation steps will be available through the HPE Support Center when available.

Intel has provided a high level statement here:

https://newsroom.intel.com/news/intel-responds-to-security-research-findings/ Non-HPE site

For additional information:

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr Non-HPE site

NOTE: One or more of the links above will take you outside the Hewlett Packard Enterprise web site. HPE does not control and is not responsible for information outside of the HPE web site.

IMPORTANT: The products listed under "Hardware Platforms Affected" at the bottom of this Customer Bulletin are provided to identify the specific models of Aruba products to be notified. It is not intended to be a list of products affected by the specific vulnerability outlined in this bulletin. A list of affected products can be found in the body of this bulletin.

SCOPE

Either of the following Aruba Campus and Branch MSR OAP modules are possibly affected depending on the Operating System that is used:

  • HPE FlexNetwork MSR Open Application Platform (OAP) with VMware vSphere MIM Module - JG532A.
  • HPE FlexNetwork MSR Medium Survivable Branch Communication MIM Module powered by Microsoft Lync - JG588A.
NOTE: HPE recommends to upgrade the Operating System version for the products above with the appropriate patches.

The following Aruba Campus and Branch Comware Products are NOT VULNERABLE.

IMPORTANT: The products listed under "Hardware Platforms Affected" at the bottom of this Customer Bulletin are provided to identify the specific models of Aruba products to be notified. It is not intended to be a list of products affected by the specific vulnerability outlined in this bulletin. A list of affected products can be found in the body of this bulletin.

This includes the following Router products:

  • 8800
  • A6600 / HSR6600 / HSR6800
  • A6600 / HSR6600 / HSR6800 RU
  • MSR20 / 30 / 50 / 1000 /9XX / 93X
  • MSR20 / 30 / 50 / 1000 /9XX / 93X RU
  • MSR95X / MSR1000 / 2000 / 3000 / 4000(V7)
  • HSR6600 / HSR6800
  • VSR

This includes the following Security Series products:

  • F1000-A-EI / F1000-S-EI
  • F5000-A
  • F5000-C/S
  • U200S and CS
  • U200A and M
  • SecBlade FW / F1000-E
  • SecBlade III

This includes the following Switch series:

  • 1620 / 1910 / V1910 / 1920 / 1950
  • 3100V2
  • 3600V2 / 3100V2-48
  • 3610
  • 5120EI / 4510G
  • 5120SI / 5500HI / 5510HI
  • 5130EI / 5130EI Brazil / 5130HI
  • 5500EI / 4800G
  • 5500SI / 4500G
  • 7500 / 10500
  • NJ5000

This includes the following Wireless Series products:

  • Unified and MSM Products

This also includes the following OfficeConnect product as it is a follow-on to the HPE 1920 switch, but it does not run the Comware Operating System. It is also unaffected as well:

  • OfficeConnect 1920S

Operating System Vendor Responses:

Microsoft: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002 Non-HPE site

Red Hat: https://access.redhat.com/security/vulnerabilities/speculativeexecution Non-HPE site

VMware: https://www.vmware.com/security/advisories/VMSA-2018-0002.html Non-HPE site

RESOLUTION

Affected products and mitigations are being tracked on the HPE vulnerability website.




RECEIVE PROACTIVE UPDATES : Receive support alerts (such as Customer Advisories), as well as updates on drivers, software, firmware, and customer replaceable components, proactively via e-mail through HPE Subscriber's Choice. Sign up for Subscriber's Choice at the following URL: Proactive Updates Subscription Form.

SEARCH TIP : For hints on locating similar documents on HPE.com, refer to the Search Tips document .


Hardware Platforms Affected: HPE FlexNetwork 5130 HI Switch Series, HPE FLexNetwork MSR95x Router Series, HPE FlexNetwork 5510 HI Switch Series, HPE OfficeConnect 1920S Switch Series, HPE 5120 EI Switch Series, HPE FlexNetwork 5120 SI Switch Series, HPE 5500 EI Switch Series, HPE 5500 SI Switch Series, HPE MSR30 Series, HPE MSR20 Series, HPE MSR20-1x Series, HPE MSR50 Series, HPE 4800G Switch Series, HPE 200 Unified Threat Management (UTM) Appliance Series, HPE 8800 Router Series, HPE 4510G Switch Series, HPE Firewall Series, HPE Networking Switch Licenses, HPE 4500G Switch Series, HPE Security Appliance Modules, HPE OfficeConnect 1910 Switch Series, HPE MSR900 Series, HPE 5500 HI Switch Series, HPE FlexNetwork HSR6600 Router Series, JG532A, HPE FlexNetwork HSR6800 Router Series, HPE FlexNetwork MSR93x Router Series, JG588A, HPE FlexNetwork MSR2000 Router Series, HPE FlexNetwork MSR3000 Router Series, HPE FlexNetwork MSR4000 Router Series, HPE FlexNetwork VSR1000 Virtual Services Router Series, HPE FlexNetwork MSR1000 Router Series, HPE FlexNetwork 5130 EI Switch Series, HPE FlexNetwork 5130 EI Brazil Switch Series, HPE OfficeConnect 1950 Switch Series, HPE OfficeConnect 1920 Switch Series, HPE OfficeConnect 1620 Switch Series
Operating Systems Affected: Not Applicable
Software Affected: Not Applicable
Support Communication Cross Reference ID: SIK2995
©Copyright 2018 Hewlett Packard Enterprise Development LP
Hewlett Packard Enterprise Development shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HPE nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise Development and the names of Hewlett Packard Enterprise Development products referenced herein are trademarks of Hewlett Packard Enterprise Development in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.

Provide feedback

Please rate the information on this page to help us improve our content. Thank you!