Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

2013-08 Security Bulletin: Security Threat Response Manager: Command injection vulnerability (CVE-2013-2970)

0

0

Article ID: JSA10583 SECURITY_ADVISORIES Last Updated: 14 Aug 2013Version: 1.0
Product Affected:
STRM series devices and virtual machines with SRTM software releases: 2010.0, 2012.0, 2012.1, 2013.1.
Problem:
Security Threat Response Manager (STRM) software contains a command injection vulnerability that allows an authenticated user to execute operating system commands as a limited access webservices user on the STRM device. This access could be used to gain remote shell access as that webservices user. Even though authenticated users of the STRM device do not necessarily have shell access, action should be taken to patch this issue as soon as possible.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

No other Juniper Networks products or platforms are affected by this issue.

This issue has been assigned CVE-2013-2970.
Solution:
This issue is fixed in STRM 2013.2.R2 and later releases.

A patch is available for STRM software releases 2010.0, 2012.0, 2012.1 and 2013.1 from STRM download site http://www.juniper.net/support/downloads/group/?f=strm as Vulnerability CVE-2013-2970 patch script.
Workaround:
 There are no viable workarounds that can mitigate this vulnerability.
Implementation:
 
CVSS Score:
6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
Severity Level:
High
Severity Assessment:
A network based (AV:N) authenticated user (Au:S) can easily (AC:L) execute shell commands which has partial impact on system's confidentiality (C:P), integrity (I:P) or availability (A:P)
Acknowledgements:
 

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search