Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

2013-11 Security Bulletin: Junos Space: MySQL security update

0

0

Article ID: JSA10601 SECURITY_ADVISORIES Last Updated: 13 Nov 2013Version: 1.0
Product Affected:
Junos Space and JA1500 Junos Space Appliance with Junos Space releases before 13.1R1.
Problem:
MySQL server software included with Junos Space is affected by a number of security vulnerabilities. The following may pose a security risk to Junos Space:

CVE CVSSv2 Base Score and Vector Summary
CVE-2011-2262 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) Denial of Service Vulnerability in MySQL
CVE-2012-0486 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) Denial of Service Vulnerability in MySQL
CVE-2012-0553 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) Buffer overflow in yaSSL as used in MySQL
CVE-2012-0882 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) Buffer overflow in yaSSL as used in MySQL
CVE-2012-1702 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) Denial of Service Vulnerability in MySQL
CVE-2012-3147 6.4 (AV:N/AC:L/Au:N/C:N/I:P/A:P) Vulnerability in MySQL with impact on integrity and availability.
CVE-2012-3158 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) Vulnerability in MySQL with impact on confidentiality, integrity and availability.
CVE-2012-3163 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C) Vulnerability in MySQL with impact on Junos Space's confidentiality, integrity and availability.
CVE-2013-0385 6.6 (AV:L/AC:L/Au:N/C:C/I:C/A:N) Vulnerability in MySQL with impact on Junos Space system confidentiality and integrity.
CVE-2013-1492 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) Buffer overflow in yaSSL as used in MySQL
CVE-2013-3801 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) Denial of Service Vulnerability in MySQL

A firewall is enabled by default on Junos Space which limits access to the MySQL server port to only permitted hosts or Junos Space nodes.
If the firewall is disabled for any reason, the MySQL server port is exposed, which increases the risks posed by the above vulnerabilities.

Solution:
The above listed vulnerabilities are resolved in Junos Space 13.1R1 and later releases.
MySQL server software has been upgraded to 5.5.30 in Junos Space 13.1R1.Junos Space releases can be obtained from:
http://www.juniper.net/support/downloads/?p=space
Workaround:
Enable firewall on Junos Space or limit access to Junos Space only from trusted hosts.
Implementation:
Junos Space releases can be obtained from:
http://www.juniper.net/support/downloads/?p=space
CVSS Score:
9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
Severity Level:
High
Severity Assessment:
CVSS score is based on CVE-2012-3163.
Acknowledgements:
 

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search