Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

2014-11 Security Bulletin: Juniper Secure Analytics and Security Threat Response Manager: Multiple vulnerabilities

0

0

Article ID: JSA10657 SECURITY_ADVISORIES Last Updated: 11 Nov 2014Version: 2.0
Product Affected:
JSA series devices or virtual machines with JSA software releases: 2013.2, 2014.1, 2014.2 and STRM series devices or virtual machines with STRM software releases: 2012.1, 2013.1, 2013.2
Problem:

STRM and JSA 2013.2 releases prior to 2013.2R9 and JSA 2014 releases prior to 2014.3R1 are affected by the following vulnerabilities:

CVECVSS v2 base scoreSummary
CVE-2014-30629.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)A remote code execution vulnerability that would allow a remote attacker with high knowledge of the system and knowledge of the product operation to execute code with root level privileges.
CVE-2014-48336.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)A vulnerability that would allow remote authenticated users to gain privileges via invalid input.
CVE-2014-00755.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)Apache Tomcat integer overflow vulnerability.
CVE-2014-00955.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)Denial of service (thread consumption) vulnerability in Apache Tomcat.
CVE-2014-30915.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)Cross-site scripting (XSS) vulnerability.
CVE-2014-00964.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)XML External Entity (XXE) issue in Apache Tomcat.
CVE-2014-00994.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)Integer overflow vulnerability in Apache Tomcat.
CVE-2014-01194.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)XML External Entity (XXE) issue in Apache Tomcat.
CVE-2014-08374.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)Insufficient verification of X.509 certificates in autoupdate process while downloading updates, which may allow a man-in-the-middle type of attacker to manipulate traffic.
CVE-2014-48254.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)Incorrect handling of secure connections when communicating to other applications, which allows man-in-the-middle type of attackers to discover clear text credentials or other sensitive information.
CVE-2014-48274.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)Cross-site scripting (XSS) vulnerability.
CVE-2014-48284.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)Clickjacking vulnerability.
CVE-2014-48304.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)Missing HTTPOnly flag that mitigates the risk of client side script accessing sensitive cookies.
Solution:

These issues are resolved in:

  • JSA 2014.3R1 or later releases.
  • JSA or STRM 2013.2R9 or later releases.

Workaround:

There are no known workarounds that can help mitigate all of the above issues. Limiting access to the device from only trusted hosts would help mitigate or lessen the risks of exposure to some of the issues.

Implementation:

JSA and STRM Software is available for download from http://www.juniper.net/support/downloads/.

Modification History:
Modification History:

2014-11-12: Initial publication.

CVSS Score:
9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Severity Level:
Critical
Severity Assessment:
Vulnerability CVE-2014-3062 has the highest CVSS v2 base score of 9.3 in this advisory.
Acknowledgements:

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search