Knowledge Search


×
 

2012-11 Security Bulletin: NSM Products: Multiple vulnerabilities in Network and Security Manager products

  [JSA10543] Show Article Properties


Legacy Advisory Id:
PSN-2012-11-767
Product Affected:
Network and Security Manager
NSM3000
NSMXpress/NSMXpress HA
Problem:

Multiple vulnerabilities have been fixed in Juniper Networks NSM products (NSMXpress, NSMXpress II, NSM3000, and NSMserver) as a result of upgrading base operating system to CentOS 5.7 on NSM Appliances and RedHat EL 5.7 on software NSM installations.

Following is a list of known CVE ids that may pose a security risk to NSM products, which have been fixed as a result of this software upgrade:

ComponentCVECVSSv2
base
score
CVSSv2 Vector
Apache APR-utilCVE-2009-00234.3AV:N/AC:M/Au:N/C:N/I:N/A:P
CVE-2009-19557.8AV:N/AC:L/Au:N/C:N/I:N/A:C
CVE-2009-19566.4AV:N/AC:L/Au:N/C:P/I:N/A:P
CVE-2009-241210AV:N/AC:L/Au:N/C:C/I:C/A:C
CVE-2010-16235AV:N/AC:L/Au:N/C:N/I:N/A:P
CVE-2011-04194.3AV:N/AC:M/Au:N/C:N/I:N/A:P
ISC BINDCVE-2007-29264.3AV:N/AC:M/Au:N/C:N/I:P/A:N
CVE-2011-24645AV:N/AC:L/Au:N/C:N/I:N/A:P
Linux KernelCVE-2011-11622.1AV:L/AC:L/Au:N/C:P/I:N/A:N
CVE-2011-22032.1AV:L/AC:L/Au:N/C:N/I:N/A:P
CVE-2011-24844.9AV:L/AC:L/Au:N/C:N/I:N/A:C
CVE-2011-24942.1AV:L/AC:L/Au:N/C:P/I:N/A:N
CVE-2011-26954.9AV:L/AC:L/Au:N/C:N/I:N/A:C
CVE-2011-27235.7AV:A/AC:M/Au:N/C:N/I:N/A:C
CVE-2011-41102.1AV:L/AC:L/Au:N/C:N/I:N/A:P
libxml2CVE-2010-40084.3AV:N/AC:M/Au:N/C:N/I:N/A:P
CVE-2011-19449.3AV:N/AC:M/Au:N/C:C/I:C/A:C
CVE-2011-28346.8AV:N/AC:M/Au:N/C:P/I:P/A:P
CVE-2011-39055AV:N/AC:L/Au:N/C:N/I:N/A:P
CVE-2011-39197.5AV:N/AC:L/Au:N/C:P/I:P/A:P
OpenSSLCVE-2009-05905AV:N/AC:L/Au:N/C:N/I:N/A:P
CVE-2009-13775AV:N/AC:L/Au:N/C:N/I:N/A:P
CVE-2009-13785AV:N/AC:L/Au:N/C:N/I:N/A:P
CVE-2009-13795AV:N/AC:L/Au:N/C:N/I:N/A:P
CVE-2009-13865AV:N/AC:L/Au:N/C:N/I:N/A:P
CVE-2009-13875AV:N/AC:L/Au:N/C:N/I:N/A:P
CVE-2009-324510AV:N/AC:L/Au:N/C:C/I:C/A:C
CVE-2009-35555.8AV:N/AC:M/Au:N/C:N/I:P/A:P
CVE-2009-43555AV:N/AC:L/Au:N/C:N/I:N/A:P
CVE-2010-04334.3AV:N/AC:M/Au:N/C:N/I:N/A:P
CVE-2010-41804.3AV:N/AC:M/Au:N/C:N/I:P/A:N
PHPCVE-2007-39966.8AV:N/AC:M/Au:N/C:P/I:P/A:P
PostgreSQLCVE-2006-55404AV:N/AC:L/Au:S/C:N/I:N/A:P
CVE-2006-55414AV:N/AC:L/Au:S/C:N/I:N/A:P
CVE-2006-55424AV:N/AC:L/Au:S/C:N/I:N/A:P
CVE-2007-05558.5AV:N/AC:L/Au:S/C:C/I:N/A:C
CVE-2007-05566.6AV:N/AC:H/Au:S/C:C/I:N/A:C
CVE-2010-40156.5AV:N/AC:L/Au:S/C:P/I:P/A:P

These issues were discovered in a variety of ways, and all are known publicly.

Please refer to NSM release notes for a complete list of CVEs that were fixed.

Solution:

These vulnerabilities are fixed in:
NSM version 2012.1 and later
NSM version 2011.4s4 and later
NSM version 2010.3s7 and later

Note CentOS or RedHat version should also be upgraded to 5.7.
CentOS 5.7 upgrade file available from NSM 2012.1 download page is applicable to NSM 2011.x and NSM 2010.x as well. Upgrade instructions are available in NSM Installation Guide.


Workaround:

There are no known workarounds that can mitigate all of the issues listed in this bulletin.

Use access lists or firewall filters to limit access to the NSM network management server only from trusted hosts.

Related Links:
Severity Level:
Critical
Severity Assessment:
The highest CVSSv2 Score of these vulnerabilities is 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C)