11 August 2014
HiveManager (both on-premises and HMOL) version 6.1r3a and lower are vulnerable to CVE-2013-2251, and should be upgraded immediately to version 6.1r5 or later. A vulnerability within a component used in HiveManager, the Struts2 framework, allows unauthenticated attackers to execute arbitrary OGNL expressions on the target host, and possibly to gain root access. Aerohive has made available version 6.1r6a for immediate upgrade to address the vulnerabilities.
Aerohive HiveManager (both on-premises and HiveManager Online), versions 6.1r3a and lower.
In late May 2014 a security researcher brought to Aerohive’s attention a potential security vulnerability in HiveManager. After investigation, Aerohive concluded the vulnerabilities are in a component (Apache Struts2) used by Aerohive HiveManager and HiveManager OnLine, and the MyHive portal. The vulnerability in the MyHive portal was fixed immediately, and forensic analysis indicated the MyHive portal had not been breached. The limited-availability HiveManager 6.1r5 was determined to not be vulnerable. Apache Struts2 is a Java web application framework used by Aerohive HiveManager and HiveManager OnLine, and the MyHive portal. Struts version (22.214.171.124) was used in HM 6.1r3a and earlier. CVE-2013-2251 affects Struts2 versions 2.0.0 thru 126.96.36.199. HiveManager version 6.1r5 uses Struts2 version 188.8.131.52. Aerohive began to automatically upgrade all HMOL accounts to 6.1r6 starting on 7 July 2014, and has now concluded those upgrades.
This vulnerability was originally reported to Aerohive by, and we extend our thanks to, Jacco van Tuijl.
May allow unauthorized disclosure of information; May allow unauthorized modification; May allow disruption of service.
On-premises HiveManager customers should immediately upgrade to HiveManager version 6.1r6a. HiveManager Online customers have been automatically upgraded as quickly as Aerohive could perform those upgrades. As always, Aerohive recommends that you follow best security practices, including reduction of possible attack surface areas by use of access control methods such as network-level ACLs to restrict access.
Although Aerohive cannot guarantee the accuracy of all statements in this advisory, all of the facts have been checked to the best of our ability. Aerohive does not anticipate issuing updated versions of this advisory unless there is some material change in the facts. Should there be a significant change in the facts, Aerohive may update this advisory.
A stand-alone copy or paraphrase of the text of this security advisory that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.
This advisory will be posted on Aerohive’s website at:
Future updates of this advisory, if any, will be placed on Aerohive’s worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates.
Revision 1.0 / 2014-08-11 / Final release
Complete information on reporting security vulnerabilities in Aerohive products, obtaining assistance with security incidents is available at
For reporting *NEW* Aerohive security issues, email can be sent to security(at)aerohive.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at http://www.aerohive.com/support/security-center
© Copyright 2017 Aerohive, Inc.
This advisory may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, including all date and version information.