Knowledge Search


×
 

2013-08 Security Bulletin: Junos Space: Multiple Vulnerabilities

  [JSA10585] Show Article Properties


Product Affected:
Junos Space Appliance hardware JA1500 and virtual machines with Junos Space Software 11.1, 11.2, 11.3, 11.3, 12.1, 12.2, 12.3.
Problem:
A number of vulnerabilities affect Junos Space releases before 13.1R1.6 which have been addressed in the 13.1R1.6 release:
  • CVE-2013-5095 A reflected cross site scripting vulnerability affects Junos Space web based interface. This may allow a remote attacker to obtain sensitive information from Junos Space users (PR 884469).
  • CVE-2013-5096 A vulnerability in Junos Space role based access control implementation may allow users with read-only privilege to make configuration changes (PR 863804).
  • CVE-2013-5097 A password disclosure vulnerability may allow authenticated users to obtain a list of all users and their MD5 hashed passwords. One may then use dictionary type of attacks to retrieve the passwords (PR 879462).
  • CVE-2012-0053, CVE-2011-4317, CVE-2011-3368 Apache http server used in Junos Space is affected by a number of vulnerabilities. Some of which may pose a security risk to Junos Space (PR 860167).
Solution:
These vulnerabilities have been fixed in Junos Space 13.1R1.6 released 29th June 2013. All subsequent releases will also contain the fix.
Workaround:
There are no viable workarounds that can mitigate all these vulnerabilities.
To reduce exposure to Apache vulnerabilities use access lists or firewall filters to limit access to Junos Space from only trusted networks.
Implementation:
 
Related Links:
CVSS Score:
5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Risk Level:
Medium
Risk Assessment:
CVSS score is based on Apache vulnerabilities CVE-2011-3368, CVE-2011-4317. Other issues described here get the following CVSSv2 Base scores: CVE-2013-5095 = 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N), CVE-2013-5096 = 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N), CVE-2013-5097 = 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
Acknowledgements: