Aruba AOS-CX: CVE-2022-25313: Multiple Vulnerabilities in Expat XML processing library

Description

Vulnerabilities have been identified in a commonly used component in multiple Aruba products. These vulnerabilities allow attackers to use specially crafted XML input to potentially cause denial of service conditions or remote code execution. Details can be found at: https://nvd.nist.gov/vuln/detail/CVE-2022-25235 https://nvd.nist.gov/vuln/detail/CVE-2022-25236 https://nvd.nist.gov/vuln/detail/CVE-2022-25313 https://nvd.nist.gov/vuln/detail/CVE-2022-25314 https://nvd.nist.gov/vuln/detail/CVE-2022-25315 Internal references: ATLCP-191, ATLAX-60, ATLWL-293, ATLWL-183, ATLWL-292, ATLWL-192, ATLSP-1 CVSS Vectors and Scores provided by NVD as follows: CVE-2022-25235 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - 9.8 critical CVE-2022-25236 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - 9.8 critical CVE-2022-25313 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H - 6.5 medium CVE-2022-25314 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - 7.5 high CVE-2022-25315 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - 9.8 critical Aruba Threat Labs analyzed and tested these vulnerabilities in the products using the affected component. What has been found is that exploitation of this vulnerability is not straightforward and dependent upon many factors that an attacker may not be able to control. Aruba has chosen to keep the NVD provided severity scores as a reference. The impact on products using the affected component is very low based on ongoing testing.