Knowledge Search


×
 

2014-08 Security Bulletin: Juniper Secure Analytics (JSA)/Security Threat Response Manager (STRM): Multiple vulnerabilities resolved by third party software upgrades.

  [JSA10643] Show Article Properties


Product Affected:
JSA series devices or virtual machines with JSA software releases: 2013.2, 2014.1, 2014.2 and STRM series devices or virtual machines with STRM software releases: 2012.1, 2013.1, 2013.2
Problem:

Multiple vulnerabilities in Juniper Secure Analytics (JSA) and Security Threat Response Manager (STRM) software have been resolved with updated third party software components.

CVE-2014-0411 A TLS timing vulnerability in IBM Runtime Environment, Java Technology Edition, Version 6 and 7 affects STRM/JSA 2013.2 releases prior to 2013.2R7. This may allow remote attackers to obtain sensitive information about encryption keys via a timing discrepancy during the TLS/SSL handshake. STRM/JSA 2014.2 and later releases do not have this problem.

CVE CVSS v2 base score Type of issue
CVE-2014-0411 4.0 (AV:N/AC:H/Au:N/C:P/I:P/A:N) Java: encryption key disclosure via a timing discrepancy during the TLS/SSL handshake

CVE-2014-0114 A ClassLoader manipulation vulnerability in Apache Struts affects STRM/JSA 2012.1 releases prior to 2012.1R7 and 2013.2 releases prior to 2013.2R8. This may allow a remote attacker to execute arbitrary code on the system. STRM/JSA 2014.2 and later releases do not have this problem.

CVE-2014-0114 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) Apache Struts: ClassLoader manipulation vulnerability

STRM/JSA 2013.2 releases prior to 2013.2R8 and 2014.2R2 are affected by the following Apache Tomcat and Apache Xalan-Java vulnerabilities:

CVE-2013-4590 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) Apache Tomcat: XML External Entitee resolution vulnerability
CVE-2013-4286 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N) Apache Tomcat: Improper validation of HTTP request headers
CVE-2013-4322 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) Apache Tomcat: DoS while processing chunked transfer coding
CVE-2014-0033 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) Apache Tomcat: session fixation vulnerability
CVE-2014-0107 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) Apache Xalan-Java: improper Access restrictions vulnerability

STRM 2012.1 releases prior to 2012.1R8 are affected by the following PostgreSQL vulnerabilities:

CVE-2014-0060 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N) PostgreSQL: privilege escalation vulnerability
CVE-2014-0061 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P) PostgreSQL: privilege escalation vulnerability
CVE-2014-0062 4.9 (AV:N/AC:M/Au:S/C:P/I:P/A:N) PostgreSQL: race condition vulnerability
CVE-2014-0063 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P) PostgreSQL: stack-based buffer overflow vulnerability
CVE-2014-0064 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P) PostgreSQL: integer overflow vulnerability
CVE-2014-0065 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P) PostgreSQL: buffer overflow vulnerability
CVE-2014-0066 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P) PostgreSQL: a denial of service vulnerability
CVE-2014-0067 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P) PostgreSQL: privilege escalation vulnerability

STRM 2012.1 releases prior to 2012.1R8, STRM/JSA 2013.2 releases prior to 2013.2R8 and JSA 2014.2R2 are vulnerable to the following Apache and OpenSSL vulnerabilities:

CVE-2014-0098 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) Apache HTTP Server: denial of service
CVE-2014-0224 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) OpenSSL: ChangeCipherSpec injection
CVE-2014-0198 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) OpenSSL: SSL_MODE_RELEASE_BUFFERS NULL pointer dereference denial of service
CVE-2010-5298 4.0 (AV:N/AC:H/Au:N/C:N/I:P/A:P) OpenSSL: SSL_MODE_RELEASE_BUFFERS session injection or denial of service

Solution:

JSA 2012.1R8, 2013.2R8, 2014.2R3 or later releases completely resolve all the vulnerabilities mentioned above.

Specifically:

  • JSA 2013.2R8 and 2014.2R3 or later releases resolve CVE-2014-0098, CVE-2014-0224, CVE-2014-0198, CVE-2010-5298, CVE-2013-4286, CVE-2014-0033, CVE-2013-4322, CVE-2013-4590, CVE-2014-0107.
  • JSA 2012.1R8 or later releases resolve CVE-2014-0098, CVE-2014-0224, CVE-2014-0198, CVE-2010-5298, CVE-2014-0066, CVE-2014-0063, CVE-2014-0064, CVE-2014-0067, CVE-2014-0065, CVE-2014-0062, CVE-2014-0061, CVE-2014-006.
  • 2013.2R7 or later releases resolve CVE-2014-0114, CVE-2014-0411.
  • 2012.1R7 or later releases resolve CVE-2014-0411.

Workaround:
Use access lists or firewall filters to limit access to the JSA/STRM device only from trusted hosts.
Implementation:
How to obtain fixed software:

JSA and STRM Software Releases are available at http://www.juniper.net/support/downloads/.
Related Links:
CVSS Score:
7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Severity Level:
High
Severity Assessment:
Apache Struts vulnerability CVE-2014-0114 has the highest CVSS v2 base score of 7.5 in this advisory.
Acknowledgements: