Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

2014-11 Security Bulletin: Junos Space: Multiple vulnerabilities resolved by third party software upgrades

0

0

Article ID: JSA10659 SECURITY_ADVISORIES Last Updated: 07 Sep 2016Version: 3.0
Product Affected:
Junos Space and JA1500, JA2500 (Junos Space Appliance) with Junos Space 13.3 and earlier releases.
Problem:

Junos Space release 14.1R1 addresses multiple vulnerabilities in prior releases with updated third party software components. The following is a list of software upgraded and vulnerabilities resolved:

OpenJDK runtime 1.7.0 update_45 was upgraded to 1.7.0 update_65 which resolves:

CVECVSS v2 base scoreSummary
CVE-2014-04605.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)Vulnerability in JNDI.
CVE-2014-04235.5 (AV:N/AC:L/Au:S/C:P/I:N/A:P)Vulnerability in Java Beans.
CVE-2014-42645.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)Vulnerability in Java Security.
CVE-2014-04114.0 (AV:N/AC:H/Au:N/C:P/I:P/A:N)Vulnerability in JSSE.
CVE-2014-04534.0 (AV:N/AC:H/Au:N/C:P/I:P/A:N)Vulnerability in Java Security.
CVE-2014-42444.0 (AV:N/AC:H/Au:N/C:P/I:P/A:N)Vulnerability in Java Security.
CVE-2014-42634.0 (AV:N/AC:H/Au:N/C:P/I:P/A:N)Vulnerability in Java Security related to Diffie-Hellman key agreement.

OpenSSL CentOS package was upgraded from 0.9.8e-20 to 0.9.8e-27.el5 which resolves:

CVECVSS v2 base scoreSummary
CVE-2012-21107.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)Buffer overflow vulnerability.
CVE-2012-23336.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)Integer underflow in OpenSSL.
CVE-2014-02246.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)OpenSSL does not properly restrict processing of ChangeCipherSpec messages aka the "CCS Injection" vulnerability.
CVE-2011-45765.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)The SSL 3.0 implementation in OpenSSL vulnerable to disclosure of sensitive information.
CVE-2011-46195.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)Denial of service (CPU consumption) vulnerability.
CVE-2012-08845.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)OpenSSL vulnerable to Million Message Attack (MMA) adaptive chosen ciphertext attack.
CVE-2013-01665.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)Denial of service (NULL pointer dereference and application crash) vulnerability.
CVE-2011-41094.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)Double free vulnerability in OpenSSL.
CVE-2013-01692.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)Plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.

Oracle MySQL was upgraded from 5.5.34 to 5.5.36 which resolves:

CVE CVSS v2 base score Summary
CVE-2013-5908 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) Denial of service vulnerability in MySQL Error handling
Solution:
These issues are fixed in Junos Space 14.1R1 and all subsequent releases.



Workaround:
Use access lists or firewall filters to limit access to the Junos Space device only from trusted hosts.
Implementation:

Junos Space Releases are available at http://www.juniper.net/support/downloads/?p=space#sw.

Note: If you are upgrading to 14.1 from previous releases please download and install the bash security update v2 patch (even if Bash Security Update was previously installed). Please see http://kb.juniper.net/JSA10648

Modification History:
Modification History:

2014-11-12: Initial publication.
2014-11-17: Corrected the Java and OpenSSL versions in 14.1R1, included additional CVEs that are resolved.
2016-09-07: Corrected the name of Java Runtime Environment used by Junos Space.

CVSS Score:
7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Severity Level:
High
Severity Assessment:
OpenSSL vulnerabilities CVE-2012-2110 and CVE-2012-2131 have the highest CVSS v2 base score of 7.5 in this advisory.
Acknowledgements:

Related Links

Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search