HPE Aruba Networking AOS-8 Instant Access Points Unauthenticated XML External Entity Injection Vulnerability Leading to Denial-of-Service

A vulnerability exists in the XML processing component of AOS-8 Instant access points, specifically in versions 8.13.1.1 and below, 8.12.0.6 and below, and 8.10.0.21 and below. This vulnerability allows an unauthenticated remote attacker to exploit XML External Entity (XXE) injection, potentially causing excessive resource consumption and leading to a denial-of-service condition. The issue arises when the affected system interacts with maliciously crafted XML, causing disruption or reduced availability of the DHCP service.

Impact

Exploitation of this vulnerability can cause excessive resource consumption, leading to service disruption or reduced availability of the affected system.

Remediation

Users can upgrade to AOS-8 Instant versions 8.13.1.2, 8.12.0.7, or 8.10.0.22. For access points running AOS-10, refer to the HPE Aruba Networking Support Portal for available versions.