Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

2013-08 Security Bulletin: Junos Space: Multiple Vulnerabilities

0

0

Article ID: JSA10585 SECURITY_ADVISORIES Last Updated: 14 Aug 2013Version: 1.0
Product Affected:
Junos Space Appliance hardware JA1500 and virtual machines with Junos Space Software 11.1, 11.2, 11.3, 11.3, 12.1, 12.2, 12.3.
Problem:
A number of vulnerabilities affect Junos Space releases before 13.1R1.6 which have been addressed in the 13.1R1.6 release:
  • CVE-2013-5095 A reflected cross site scripting vulnerability affects Junos Space web based interface. This may allow a remote attacker to obtain sensitive information from Junos Space users (PR 884469).
  • CVE-2013-5096 A vulnerability in Junos Space role based access control implementation may allow users with read-only privilege to make configuration changes (PR 863804).
  • CVE-2013-5097 A password disclosure vulnerability may allow authenticated users to obtain a list of all users and their MD5 hashed passwords. One may then use dictionary type of attacks to retrieve the passwords (PR 879462).
  • CVE-2012-0053, CVE-2011-4317, CVE-2011-3368 Apache http server used in Junos Space is affected by a number of vulnerabilities. Some of which may pose a security risk to Junos Space (PR 860167).
Solution:
These vulnerabilities have been fixed in Junos Space 13.1R1.6 released 29th June 2013. All subsequent releases will also contain the fix.
Workaround:
There are no viable workarounds that can mitigate all these vulnerabilities.
To reduce exposure to Apache vulnerabilities use access lists or firewall filters to limit access to Junos Space from only trusted networks.
Implementation:
 
CVSS Score:
5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Severity Level:
Medium
Severity Assessment:
CVSS score is based on Apache vulnerabilities CVE-2011-3368, CVE-2011-4317. Other issues described here get the following CVSSv2 Base scores: CVE-2013-5095 = 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N), CVE-2013-5096 = 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N), CVE-2013-5097 = 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
Acknowledgements:
 

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search