Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

2014-08 Security Bulletin: Juniper Secure Analytics (JSA)/Security Threat Response Manager (STRM): Multiple vulnerabilities resolved by third party software upgrades.

0

0

Article ID: JSA10643 SECURITY_ADVISORIES Last Updated: 15 Feb 2017Version: 4.0
Product Affected:
JSA series devices or virtual machines with JSA software releases: 2013.2, 2014.1, 2014.2 and STRM series devices or virtual machines with STRM software releases: 2012.1, 2013.1, 2013.2
Problem:

Multiple vulnerabilities in Juniper Secure Analytics (JSA) and Security Threat Response Manager (STRM) software have been resolved with updated third party software components.

CVE-2014-0411 A TLS timing vulnerability in IBM Runtime Environment, Java Technology Edition, Version 6 and 7 affects STRM/JSA 2013.2 releases prior to 2013.2R7. This may allow remote attackers to obtain sensitive information about encryption keys via a timing discrepancy during the TLS/SSL handshake. STRM/JSA 2014.2 and later releases do not have this problem.

CVE CVSS v2 base score Type of issue
CVE-2014-0411 4.0 (AV:N/AC:H/Au:N/C:P/I:P/A:N) Java: encryption key disclosure via a timing discrepancy during the TLS/SSL handshake

CVE-2014-0114 A ClassLoader manipulation vulnerability in Apache Struts affects STRM/JSA 2012.1 releases prior to 2012.1R7 and 2013.2 releases prior to 2013.2R8. This may allow a remote attacker to execute arbitrary code on the system. STRM/JSA 2014.2 and later releases do not have this problem.

CVE-2014-0114 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) Apache Struts: ClassLoader manipulation vulnerability

STRM/JSA 2013.2 releases prior to 2013.2R8 and 2014.2R2 are affected by the following Apache Tomcat and Apache Xalan-Java vulnerabilities:

CVE-2013-4590 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) Apache Tomcat: XML External Entitee resolution vulnerability
CVE-2013-4286 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N) Apache Tomcat: Improper validation of HTTP request headers
CVE-2013-4322 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) Apache Tomcat: DoS while processing chunked transfer coding
CVE-2014-0033 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) Apache Tomcat: session fixation vulnerability
CVE-2014-0107 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) Apache Xalan-Java: improper Access restrictions vulnerability

STRM 2012.1 releases prior to 2012.1R8 are affected by the following PostgreSQL vulnerabilities:

CVE-2014-0060 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N) PostgreSQL: privilege escalation vulnerability
CVE-2014-0061 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P) PostgreSQL: privilege escalation vulnerability
CVE-2014-0062 4.9 (AV:N/AC:M/Au:S/C:P/I:P/A:N) PostgreSQL: race condition vulnerability
CVE-2014-0063 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P) PostgreSQL: stack-based buffer overflow vulnerability
CVE-2014-0064 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P) PostgreSQL: integer overflow vulnerability
CVE-2014-0065 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P) PostgreSQL: buffer overflow vulnerability
CVE-2014-0066 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P) PostgreSQL: a denial of service vulnerability
CVE-2014-0067 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P) PostgreSQL: privilege escalation vulnerability

STRM 2012.1 releases prior to 2012.1R8, STRM/JSA 2013.2 releases prior to 2013.2R8 and JSA 2014.2R2 are vulnerable to the following Apache and OpenSSL vulnerabilities:

CVE-2014-0098 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) Apache HTTP Server: denial of service
CVE-2014-0224 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) OpenSSL: ChangeCipherSpec injection
CVE-2014-0198 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) OpenSSL: SSL_MODE_RELEASE_BUFFERS NULL pointer dereference denial of service
CVE-2010-5298 4.0 (AV:N/AC:H/Au:N/C:N/I:P/A:P) OpenSSL: SSL_MODE_RELEASE_BUFFERS session injection or denial of service

Solution:

JSA 2012.1R8, 2013.2R8, 2014.2R3 or later releases completely resolve all the vulnerabilities mentioned above.

Specifically:

  • JSA 2013.2R8 and 2014.2R3 or later releases resolve CVE-2014-0098, CVE-2014-0224, CVE-2014-0198, CVE-2010-5298, CVE-2013-4286, CVE-2014-0033, CVE-2013-4322, CVE-2013-4590, CVE-2014-0107.
  • JSA 2012.1R8 or later releases resolve CVE-2014-0098, CVE-2014-0224, CVE-2014-0198, CVE-2010-5298, CVE-2014-0066, CVE-2014-0063, CVE-2014-0064, CVE-2014-0067, CVE-2014-0065, CVE-2014-0062, CVE-2014-0061, CVE-2014-006.
  • 2013.2R7 or later releases resolve CVE-2014-0114, CVE-2014-0411.
  • 2012.1R7 or later releases resolve CVE-2014-0411.

Workaround:
Use access lists or firewall filters to limit access to the JSA/STRM device only from trusted hosts.
Implementation:
How to obtain fixed software:

JSA and STRM Software Releases are available at http://www.juniper.net/support/downloads/.
CVSS Score:
7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Severity Level:
High
Severity Assessment:
Apache Struts vulnerability CVE-2014-0114 has the highest CVSS v2 base score of 7.5 in this advisory.
Acknowledgements:
 

Related Links

Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search