Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

2013-11 Security Bulletin: Network and Security Manager: Apache Tomcat security update

0

0

Article ID: JSA10600 SECURITY_ADVISORIES Last Updated: 13 Nov 2013Version: 1.0
Product Affected:
NSM3000 and NSMExpress with NSM releases 2010.3, 2011.4, 2012.1, 2012.2 and NSM software releases 2010.3, 2011.4, 2012.1, 2012.2
Problem:
Apache Tomcat server software included with Network and Security Manager is affected by multiple security vulnerabilities. The following may pose a security risk to NSM:

CVE CVSSv2 Base Score and Vector Summary
CVE-2012-0022 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) High CPU consumption denial of service vulnerability
CVE-2012-5568 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) Denial of service vulnerability with partial requests
CVE-2012-5885 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) Authentication bypass vulnerability in Apache Tomcat
CVE-2012-5886 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) Authentication bypass vulnerability in Apache Tomcat
CVE-2012-5887 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) Authentication bypass vulnerability in Apache Tomcat
Solution:
Following NSM releases contain the fix:
NSM 2012.2R5 (released Oct 10, 2013) and later releases.

Apache Tomcat has been upgraded from 5.5.34 to 6.0.37 in NSM 2012.2R5 and later releases.
Workaround:
 Limit access to NSM only from trusted hosts.
Implementation:
 NSM software update can be obtained from:
http://www.juniper.net/support/downloads/?p=nsm#sw
CVSS Score:
5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Severity Level:
Medium
Severity Assessment:
CVSSv2 Base score is based on Apache Tomcat vulnerability scores. These issues may allow a network based attacker to easily impact availability, confidentiality or availability of NSM's web service.
Acknowledgements:
 

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search