Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Juniper Security Advisory: Cross-Site Scripting (XSS) Vulnerability in IDP ACM



Article ID: JSA10405 SECURITY_ADVISORIES Last Updated: 05 Mar 2017Version: 2.0
Legacy Advisory Id:
Product Affected:
IDP Software
A cross-site scripting (XSS) vulnerability in the IDP ACM (Appliance Configuration Manager) may allow arbitrary instructions to be executed by a user in the user's browser and without the user's knowledge.

No other Juniper Networks products are affected by this vulnerability.

This issue was reported by JPCERT on behalf of an anonymous referrer, but Juniper had discovered and repaired the issue internally prior to the external notice.
IDP 4.1r3, IDP 4.2r1 and later versions have been modified to eliminate this vulnerability.

We strongly urge all customers who are currently on versions earlier than 4.1r3 to upgrade.

If a software upgrade is not feasible, customers should limit access to the IDP ACM user interface, or disable management via the IDP ACM web interface if it is not needed.
  • Restrict access to the IDP ACM login by specifiying the network and host IP addresses that are allowed to access the ACM: Login to the ACM, select "Modify IDP ACM Access", choose "Restrict Networks", and then add the network and host IP addresses that are permitted to manage the device.

  • Disable all access to the IDP ACM web interface if management via the IDP ACM web interface is not needed: Login to the sensor and run the command "service httpd stop" to disable the service. To re-enable IDP ACM web interface access, restart the process with the command "service httpd start".

 Disclaimer: Juniper Networks is providing this notice on an "AS IS" basis. No warranty or guarantee of any kind is expressed in this notice and none should be implied. Juniper Networks expressly excludes and disclaims any warranties regarding this notice or materials referred to in this notice, including, without limitation, any implied warranty of merchantability, fitness for a particular purpose, absence of hidden defects, or of noninfringement. Your use or reliance on this notice or materials referred to in this notice is at your own risk. Juniper Networks may change this notice at any time.
Modification History:
Modification History:

2017-03-05: Category restructure.

Severity Level:
Severity Assessment:
The hostname or IP address of the IDP must be known, but can be discovered. Although authentication is required, it can be coerced in various ways.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search