A cross-site scripting (XSS) vulnerability in the IDP ACM (Appliance Configuration Manager) may allow arbitrary instructions to be executed by a user in the user's browser and without the user's knowledge.
No other Juniper Networks products are affected by this vulnerability.
This issue was reported by JPCERT on behalf of an anonymous referrer, but Juniper had discovered and repaired the issue internally prior to the external notice.
IDP 4.1r3, IDP 4.2r1 and later versions have been modified to eliminate this vulnerability.
We strongly urge all customers who are currently on versions earlier than 4.1r3 to upgrade.
If a software upgrade is not feasible, customers should limit access to the IDP ACM user interface, or disable management via the IDP ACM web interface if it is not needed.
Restrict access to the IDP ACM login by specifiying the network and host IP addresses that are allowed to access the ACM: Login to the ACM, select "Modify IDP ACM Access", choose "Restrict Networks", and then add the network and host IP addresses that are permitted to manage the device.
Disable all access to the IDP ACM web interface if management via the IDP ACM web interface is not needed: Login to the sensor and run the command "service httpd stop" to disable the service. To re-enable IDP ACM web interface access, restart the process with the command "service httpd start".
Disclaimer: Juniper Networks is providing this notice on an "AS IS" basis. No warranty or guarantee of any kind is expressed in this notice and none should be implied. Juniper Networks expressly excludes and disclaims any warranties regarding this notice or materials referred to in this notice, including, without limitation, any implied warranty of merchantability, fitness for a particular purpose, absence of hidden defects, or of noninfringement. Your use or reliance on this notice or materials referred to in this notice is at your own risk. Juniper Networks may change this notice at any time.