Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

2015-04 Security Bulletin: IDP: Multiple vulnerabilities addressed by third party software updates.

0

0

Article ID: JSA10673 SECURITY_ADVISORIES Last Updated: 07 Apr 2015Version: 1.0
Product Affected:
NetScreen IDP stand alone platforms running IDP OS 5.1 prior to 5.1r4.
Problem:

IDP release 5.1r4 addresses vulnerabilities in prior releases with updated third party software. The following is a summary of vulnerabilities ordered by risk score:

CVECVSS v2 base scoreSummary
CVE-2014-627110.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)Remote command injection vulnerability in Bash also known as Shellshock. See JSA10648.
CVE-2010-44787.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)OpenSSH authentication bypass vulnerability related to J-PAKE.
CVE-2012-21317.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)OpenSSL Multiple buffer overflow vulnerabilities.
CVE-2012-51957.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)Perl denial of service vulnerability.
CVE-2009-35636.4 (AV:N/AC:L/Au:N/C:N/I:P/A:P)NTP Denial of service vulnerability.
CVE-2011-05395.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)OpenSSH ssh-keygen insecure certificate generation vulnerability.
CVE-2012-08143.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)OpenSSH information leak vulnerability.
Solution:
All these issues are resolved in IDP 5.1r4 (released 25 Feb 2015) or later releases.
Workaround:
Limiting access to the device from only trusted hosts would help mitigate or reduce the risks of exposure to these issues.
Implementation:

IDP Software Releases and Patches are available at https://www.juniper.net/support/downloads/ from the "Download Software" links.

Modification History:
Modification History:

2015-04-08: Initial release.

CVSS Score:
7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Severity Level:
High
Severity Assessment:
Since ShellShock vulnerabilities were alerted in JSA10648, CVE-2014-4478 with CVSS score of 5.8 is used to determine the risk level associated with this advisory.
Acknowledgements:

Related Links

Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search