Link Search Menu Expand Document

Archive

This site contains an archive of previously published Silver Peak advisories. Beginning May 1, 2022, all new security advisories for Silver Peak are published on the HPE Aruba Networking Archive of Security Advisories site here.

Go here for information about the HPE Aruba Networking security incident response policy and contact information.

Spring4Shell Vulnerability

Dirty Pipe Vulnerability

Local Privilege Escalation in polkit’s pkexec

  • CVE-2021-4034 submitted by Qualys Research Team on November 29, 2021.
  • Download

Apache Log4j2 Vulnerability

  • CVE-2021-44228 originally published by Apache Software Foundation on December 10, 2021.
  • Download

    See the FAQ page for information about verifying the corrective action to mitigate this exploit as well as answers to common questions.

Intel Platform Update (IPU) Update 2021.1, June 2021

  • Published on August 17, 2021 by Silver Peak Systems, Inc.
  • Download

OpenSSL Security Advisory, EDIPartyName Vulnerability

  • CVE-2020-1971 originally published by OpenSSL Software Foundation on December 8, 2020
  • Download

OS Command Injection - Management File Upload

  • CVE-2020-12149 submitted on December 11, 2020 by Silver Peak Systems, Inc.
  • Download

OS Command Injection - nslookup API

  • CVE-2020-12148 submitted on December 11, 2020 by Silver Peak Systems, Inc.
  • Download

Unauthorized Database Queries in Orchestrator

  • CVE-2020-12147 submitted on October 30, 2020 by Silver Peak Systems, Inc.
  • Download

Path Traversal Vulnerability in Orchestrator

  • CVE-2020-12146 submitted on October 30, 2020 by Silver Peak Systems, Inc.
  • Download

Possible to Subvert Orchestrator Authentication

  • CVE-2020-12145 submitted on October 30, 2020 by Silver Peak Systems, Inc.
  • Download

OpenSSL Security Advisory, Raccoon Attack

  • CVE-2020-1968 originally published by OpenSSL Software Foundation on September 9, 2020
  • Download

IPSec UDP key material can be retrieved from EdgeConnect by admin

  • CVE-2020-12142 submitted on May 4, 2020 by Silver Peak Systems, Inc.
  • Download

Certificate used to identify Cloud Portal is not validated

  • CVE-2020-12144 submitted on May 4, 2020 by Silver Peak Systems, Inc.
  • Download

Certificate used to identify Orchestrator is not validated

  • CVE-2020-12143 submitted on May 4, 2020 by Silver Peak Systems, Inc.
  • Download

EdgeConnect Web UI Prior to 8.1.7.x Allows CSRF via JSON

  • CVE-2019-16099, originally published by the SD-WAN “new hope” team on Sep 8, 2019
  • Download

EdgeConnect Web UI Prior to 8.1.7.x Susceptible to Slow HTTP DoS Attacks

  • CVE-2019-16100 originally published by the SD-WAN “new hope” team on Sep 8, 2019
  • Download

Unauthenticated User Can Access Information via Stack Traces

  • CVE-2019-16101 originally published by the SD-WAN “new hope” team on Sep 8, 2019
  • Download

SNMP Service in EdgeConnect Prior to 8.1.7.x has Public Community Value

  • CVE-2019-16102 originally published by the SD-WAN “new hope” team on Sep 8, 2019
  • Download

Privilege Escalation in EdgeConnect Prior to 8.1.7.x

  • CVE-2019-16103 originally published by the SD-WAN “new hope” team on Sep 8, 2019
  • Download

EdgeConnect Web UI Susceptible to XSS and Directory Traversal Attacks

  • CVE-2019-16104 and CVE-2019-16105 originally published by the SD-WAN “new hope” team on Sep 8, 2019
  • Download

TCP SACK Panic and other remote denial of service vulnerabilities

  • NFLX-2019-001 originally published by Netflix on June 17, 2019
  • Download

Silver Peak Microarchitectural Data Sampling (MDS) vulnerabilities

  • INTEL-SA-00233 originally published by Intel on May 14, 2019
  • Download

Authentication bypass in server mode-CVE-2018-10933

  • Published by libssh on October 19, 2018
  • Download

L1 Terminal Fault - INTEL-SA-00161

  • Published by Intel on August 14, 2018
  • Download

The Dangers of Key Reuse: Practical Attacks on IPsec IKE

  • Published at the Usenix Symposium on August 15, 2018
  • Download

Meltdown and Spectre Vulnerabilities

  • VU#584653 originally published by CERT on January 3, 2018
  • Download

Return of Bleichenbacher’s Oracle Threat (ROBOT Attack) – A TLS Vulnerability

  • VU#144389 originally published by CERT on December 12, 2017
  • Download

Intel Q3’17 ME 11.x, SPS 4.0, and TXE 3.0 Security Review Cumulative Update, Escalation of Privilege

  • INTEL-SA-00086 published by Intel on November 20, 2017
  • Download

DOS Security Vulnerability

  • CVE-2017-14919 published by node.js on October 24, 2017
  • Download

INTEL-SA-00075

  • CVE-2017-5689 published by Intel on May 1, 2017
  • Download

Dirty COW Vulnerability

  • CVE-2016-5195, published by dirtycow.ninja on October 21, 2016
  • Download

OCSP Status Request extension unbounded memory growth

  • CVE-2016-6304, published by OpenSSL on 9/22/2016
  • Paired with: CVE-2016-6309, Fix Use Free for large message sizes
  • Download

Multiple OpenSSL Vulnerabilities

Drown attack vulnerability

  • CVE-2016-0800, published by NIST on 03/01/2016
  • Download

glibc getaddrinfo stack-based buffer overflow

  • CVE-2015-7547, published by NIST on 02/18/2016
  • Download

RC4 algorithm vulnerability to ‘plain-text recovery’ attacks as used in TLS/SSL

  • CVE-2013-2566, published by NIST on 03/15/2013
  • Download

RFC 5469 Compliance

  • DES and IDEA Cipher Suites for Transport Layer Security (TLS) are vulnerable to brute force attack and exhaustive key search attack.
  • Download

Cross-Site Scripting (XSS) Vulnerability

  • CVE-2014-2975, published by NIST on 07/28/14
  • Download

Cross-Site Reflect Forgery (CSRF) Vulnerability through hardcoded account

  • CVE-2014-2974, published by NIST on 07/28/2014
  • Download

Shell Upload Vulnerability

  • Published by seclists.org on 09/09/2015
  • Download

Command Injection Vulnerability

  • Published by seclists.org on 09/09/2015
  • Download

Unauthenticated File Read Vulnerability

  • Published by seclists.org on 09/09/2015
  • Download

Mass Assignment Vulnerability

  • Published by seclists.org on 09/09/2015
  • Download

libpng Exploit Vulnerability

  • CVE-2014-0333, published by NIST on 02-27-2014
  • Download

GHOST Vulnerability

  • CVE-2015-0235 (glibc:__nss_hostname_digits_dots() heap-based buffer overflow), published by NIST on 01-28-2015
  • Download

OpenSSH Keyboard-Interactive Authentication Brute Force Vulnerability

  • CVE-2015-5600, published by NIST on 08-02-2015
  • Download

Logjam Vulnerability

  • CVE-2015-4000, published by NIST on 05-20-2015
  • Download

SSL 3.0 Vulnerability, a.k.a. “Poodle”

  • CVE-2014-3566, CVE-2014-3568, published by NIST on 10-16-2014
  • Download

GNU Bash Vulnerability, a.k.a. “Shellshock”

  • CVE-2014-7169, CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7186, CVE-2014-7187, published by NIST on 09-24-2014
  • Download

Open SSL Vulnerability, a.k.a. “Heartbleed Bug”

  • CVE-2014-0160, published on 04-09-2014
  • Download

Multiple Open SSL Vulnerabilities

  • CVE-2014-3513, CVE-2014-3567, published by OpenSSL.org on 10-15-2014
  • Download

Contact Information

If you have information about a security issue or vulnerability with a Silver Peak product or technology, please send an e-mail to Sirt@arubanetworks.com.

Encrypt sensitive information using our PGP public key: ASC File (download) or text file (for copy-paste).

Key Details:

  • User-ID: Silver Peak SIRT (Silver Peak Security Incidence Response Team) sirt@silver-peak.com
  • Type: 4096-bit RSA
  • Usage: Signing, Encryption, Certifying User-IDs
  • Fingerprint: 3ACA24A1E39CFC9A74F396FA44E3D25F6E7ADFF6

Please provide as much information as possible, including:

  • The products and versions affected

  • Detailed description of the vulnerability

  • Information on known exploits

A member of the Silver Peak Product Security Team will review your e-mail and contact you to collaborate on resolving the issue.