Knowledge Search


×
 

2015-04 Security Bulletin: IDP: Multiple vulnerabilities addressed by third party software updates.

  [JSA10673] Show Article Properties


Product Affected:
NetScreen IDP stand alone platforms running IDP OS 5.1 prior to 5.1r4.
Problem:

IDP release 5.1r4 addresses vulnerabilities in prior releases with updated third party software. The following is a summary of vulnerabilities ordered by risk score:

CVECVSS v2 base scoreSummary
CVE-2014-627110.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)Remote command injection vulnerability in Bash also known as Shellshock. See JSA10648.
CVE-2010-44787.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)OpenSSH authentication bypass vulnerability related to J-PAKE.
CVE-2012-21317.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)OpenSSL Multiple buffer overflow vulnerabilities.
CVE-2012-51957.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)Perl denial of service vulnerability.
CVE-2009-35636.4 (AV:N/AC:L/Au:N/C:N/I:P/A:P)NTP Denial of service vulnerability.
CVE-2011-05395.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)OpenSSH ssh-keygen insecure certificate generation vulnerability.
CVE-2012-08143.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)OpenSSH information leak vulnerability.
Solution:
All these issues are resolved in IDP 5.1r4 (released 25 Feb 2015) or later releases.
Workaround:
Limiting access to the device from only trusted hosts would help mitigate or reduce the risks of exposure to these issues.
Implementation:

IDP Software Releases and Patches are available at https://www.juniper.net/support/downloads/ from the "Download Software" links.

Modification History:
Modification History:

2015-04-08: Initial release.

Related Links:
CVSS Score:
7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Risk Level:
High
Risk Assessment:
Since ShellShock vulnerabilities were alerted in JSA10648, CVE-2014-4478 with CVSS score of 5.8 is used to determine the risk level associated with this advisory.
Acknowledgements: