Knowledge Search


×
 

2012-08 Security Advisory: NSM Products: Multiple Java JDK/JRE Vulnerabilities

  [JSA10531] Show Article Properties


Legacy Advisory Id:
PSN-2012-08-689
Product Affected:
This issue affects all NSM products, regardless of platform.
Problem:

Multiple vulnerabilities have been identified in the Java Development Kit and Runtime Environment (JDK/JRE) software in Juniper Networks NSM products (NSMXpress, NSMXpress II, NSM3000, and NSMserver). The twenty-nine (29) individual vulnerabilities are listed below by CVE label:

CVE-2008-3103
CVE-2008-3104
CVE-2008-3105
CVE-2008-3106
CVE-2008-3107
CVE-2008-3108
CVE-2008-3109
CVE-2008-3110
CVE-2008-3111
CVE-2008-3112
CVE-2008-3113
CVE-2008-3114
CVE-2008-3115
CVE-2011-0862
CVE-2011-0873
CVE-2011-0815
CVE-2011-0817
CVE-2011-0863
CVE-2011-0864
CVE-2011-0802
CVE-2011-0814
CVE-2011-0871
CVE-2011-0786
CVE-2011-0866
CVE-2011-0868
CVE-2011-0872
CVE-2011-0867
CVE-2011-0869
CVE-2011-0865

(Note: Multiple CVEs in this set have the highest possible score of 10.0, and thus it is used as the score for this entire bulletin.)

These issues were discovered in a variety of ways, and all are assumed to be known publicly.

The Juniper SIRT is not aware of any specific malicious exploitation of these vulnerabilities against Juniper Networks NSM products.

No other Juniper Networks products or platforms are affected by this issue.
Solution:

All of the issues in this bulletin were resolved by a major upgrade of the Java JDK/JRE software in the NSM product. Following NSM releases fix these issues:

NSM version 2012.1R2 or later
NSM version 2011.4s5 or later
NSM version 2010.3s8 or later


KB16765 - "In which releases are vulnerabilities fixed?" describes which releases are fixed for vulnerabilities per Juniper Networks' "End of Engineering" and "End of Life" support policies.

Workaround:

It is always prudent to limit physical and network-based access to the NSM device. Due to the number and variety of issues included in this bulletin, it is impractical to provide a comprehensive workaround which would mitigate all of these issues.

Customers are strongly encouraged to upgrade to a release listed above.
Implementation:

How to obtain fixed software:

NSM Maintenance Releases are available at http://support.juniper.net from the "Download Software" links. If a Maintenance Release is not adequate and access to NSM patches is needed, open a customer support case. A JTAC engineer will review your request and respond, ensuring that you will be provided with the most appropriate Patch Release for your specific situation.
Related Links:
CVSS Score:
10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Severity Level:
Critical
Severity Assessment:
. (Note: This score is based on the highest-scoring individual issue in the set, as explained above.)

Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."