Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Denial of Service vulnerability in OpenSSL (FreeBSD advisory SA-04.05.openssl)



Article ID: JSA10322 SECURITY_ADVISORIES Last Updated: 09 May 2013Version: 2.0
Legacy Advisory Id:
Product Affected:
All releases of JUNOS software built prior to March 18, 2004, and all current releases of the SDX provisioning software are vulnerable.
Domestic releases of the JUNOS software include the OpenSSL software for managing authentication certificates and for managing the router through the JUNOScript application. Due to a coding error, when processing an SSL/TLS ChangeCipherSpec message, OpenSSL may fail to check that a new cipher was previously negotiated. As a result of this failure, the JUNOScript application might stop operating.

This vulnerability is described in more detail in the OpenSSL Security Advisory and the associated FreeBSD Security Advisory.

Note: The OpenSSL advisory refers to an additional vulnerability when using Kerberos ciphersuites. Since neither JUNOS nor SDX software is capable of using Kerberos ciphersuites, the additional vulnerability is not applicable.
The JUNOS software has been modified to properly detect that a new cipher had been previously negotiated. If a new cipher was not previously negotiated, the request to change to the new cipher is rejected.
For JUNOS software, the corrected software is available in all JUNOS software releases built on or after March 18, 2004. Contact Juniper Networks Technical Assistance Center for software availability and download instructions.

As a workaround, customers can disable the JUNOScript SSL server using the command
user@router# deactivate system service xnm-ssl
Alternatively, you can configure a firewall filter that restricts access to the JUNOScript server (running on TCP port 3221) from untrusted sources.

For the SDX provisioning software, customers should contact JTAC to determine the availability of corrected software.
Severity Level:
Severity Assessment:
A remote attacker can disrupt management access to the router or to the provisioning system. Currently, there is no known exploit for this vulnerability.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search