Knowledge Search


2015-04 Security Bulletin: IDP: Multiple vulnerabilities addressed by third party software updates.

  [JSA10673] Show Article Properties

Product Affected:
NetScreen IDP stand alone platforms running IDP OS 5.1 prior to 5.1r4.

IDP release 5.1r4 addresses vulnerabilities in prior releases with updated third party software. The following is a summary of vulnerabilities ordered by risk score:

CVECVSS v2 base scoreSummary
CVE-2014-627110.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)Remote command injection vulnerability in Bash also known as Shellshock. See JSA10648.
CVE-2010-44787.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)OpenSSH authentication bypass vulnerability related to J-PAKE.
CVE-2012-21317.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)OpenSSL Multiple buffer overflow vulnerabilities.
CVE-2012-51957.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)Perl denial of service vulnerability.
CVE-2009-35636.4 (AV:N/AC:L/Au:N/C:N/I:P/A:P)NTP Denial of service vulnerability.
CVE-2011-05395.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)OpenSSH ssh-keygen insecure certificate generation vulnerability.
CVE-2012-08143.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)OpenSSH information leak vulnerability.
All these issues are resolved in IDP 5.1r4 (released 25 Feb 2015) or later releases.
Limiting access to the device from only trusted hosts would help mitigate or reduce the risks of exposure to these issues.

IDP Software Releases and Patches are available at from the "Download Software" links.

Modification History:
Modification History:

2015-04-08: Initial release.

Related Links:
CVSS Score:
7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Risk Level:
Risk Assessment:
Since ShellShock vulnerabilities were alerted in JSA10648, CVE-2014-4478 with CVSS score of 5.8 is used to determine the risk level associated with this advisory.