CVE-2022-43528

Name of the Vulnerable Software and Affected Versions Aruba EdgeConnect Enterprise Orchestrator versions 9.2.1.40179 and below Aruba EdgeConnect Enterprise Orchestrator versions 9.1.4.40436 and below Aruba EdgeConnect Enterprise Orchestrator versions 9.0.7.40110 and below Aruba EdgeConnect Enterprise Orchestrator versions 8.10.23.40015 and below

Description Under certain configurations, an attacker can login to Aruba EdgeConnect Enterprise Orchestrator without supplying a multi-factor authentication code, allowing them to login using only a username and password and bypass MFA requirements.

Recommendations For Aruba EdgeConnect Enterprise Orchestrator version 9.2.1.40179 and below, update to a version above 9.2.1.40179 to resolve the issue. For Aruba EdgeConnect Enterprise Orchestrator version 9.1.4.40436 and below, update to a version above 9.1.4.40436 to resolve the issue. For Aruba EdgeConnect Enterprise Orchestrator version 9.0.7.40110 and below, update to a version above 9.0.7.40110 to resolve the issue. For Aruba EdgeConnect Enterprise Orchestrator version 8.10.23.40015 and below, update to a version above 8.10.23.40015 to resolve the issue. As a temporary workaround, consider restricting access to the login functionality until a patch is available.