Knowledge Search


×
 

2015-04 Security Bulletin: OpenSSL 19th March 2015 advisory

  [JSA10680] Show Article Properties


Product Affected:
Multiple products
Problem:

OpenSSL project has published a security advisory for several vulnerabilities resolved in the OpenSSL library on 19th March 2015:

CVE CVSS v2 base score Summary
CVE-2015-0209 5.0 (AV:N/AC:M/Au:N/C:N/I:N/A:P) Denial of service due to Use-after-free vulnerability in the d2i_ECPrivateKey function.
CVE-2015-0286 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) Denial of service while processing crafted X.509 certificate.
CVE-2015-0287 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) Denial of service due to ASN.1 structure reuse.
CVE-2015-0288 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) Denial of service (NULL pointer dereference and application crash) via an invalid certificate key.
CVE-2015-0289 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) Denial of service (NULL pointer dereference and application crash) while processing arbitrary PKCS#7 data.
CVE-2015-0292 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) Denial of service due to Integer underflow in the EVP_DecodeUpdate function.
CVE-2015-0293 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) The SSLv2 implementation denial of service.

In addition to the above this OpenSSL advisory lists CVE-2015-0291, CVE-2015-0290, CVE-2015-0207, CVE-2015-0208, CVE-2015-1787, and CVE-2015-0285 which only affect OpenSSL version 1.0.2 which is not utilized by any Juniper product. Hence these issues do not affect any Juniper product.

Vulnerable Products:
  • Junos OS is potentially affected by one or more of the vulnerabilities.
  • CTPOS releases prior to 7.0R4 are potentially affected by one or more of the vulnerabilities.
  • DDoS Secure is potentially affected by one or more of the vulnerabilities.
  • IDP is potentially affected by one or more of the vulnerabilities.
  • Junos Space is potentially affected by one or more of the vulnerabilities.
  • NSM is potentially affected by one or more of the vulnerabilities.
  • Pulse Secure:  Please refer to SA40001.
  • SBR Carrier is potentially affected by one or more of the vulnerabilities.
  • SRC Series is potentially affected by one or more of the vulnerabilities.
  • ScreenOS is potentially affected by one or more of the vulnerabilities.
  • STRM and JSA Series are affected by CVE-2015-0286, CVE-2015-0287 and CVE-2015-0289.
  • vGW is potentially affected by one or more of the vulnerabilities.
  • RingMaster Appliance is potentially affected by one or more of the vulnerabilities.

Products not vulnerable:

  • Smartpass does not use OpenSSL and is not vulnerable.
  • RingMaster Software does not use OpenSSL and is not vulnerable.

As new information becomes available on products that are not listed above, this document will be updated.

Solution:

  • Junos OS: These issues are resolved in: 12.1X44-D55 (pending release), 12.1X46-D40 (pending release), 12.1X47-D25 (pending release), 12.3R10, 12.3X48-D20 (pending release), 13.2R8, 13.3R7, 14.1R5, 14.2R3 and all subsequent releases (PR 1072809).
  • CTPOS: This issue is resolved in 7.0R4 (pending release), 7.1R1 and later releases (PR 1072934).
  • DDoS Secure: OpenSSL library is upgraded in the next DDoS Secure software update is pending release (PR 1072982).
  • IDP: OpenSSL library is upgraded in the next DDoS Secure software update is pending release (PR 1072987).
  • Junos Space: A resolution is pending (PR 1072821).
  • NSM: OpenSSL library is to be upgraded in 2012.2R12 (pending release) (PR 1072933).
  • SBR Carrier: A resolution is pending (PR 1072991).
  • SRC Series: A resolution is pending (PR 1073259).
  • ScreenOS: All applicable issues above have been resolved in ScreenOS 6.3.0r21 and subsequent releases (PR 1072822).
  • STRM and JSA Series: A resolution is pending release.
  • vGW: A resolution is pending (PR 1073007).
  • RingMaster Appliance: A resolution is pending (PR 1073266).

Workaround:

Standard security best current practices (control plane firewall filters, edge filtering, access lists, etc.) may protect against any remote malicious attacks.

  • Junos OS: Since SSL is used for remote network configuration and management applications such as J-Web and SSL Service for JUNOScript (XNM-SSL), viable workarounds for this issue in Junos may include:
    • Disabling J-Web.
    • Disable SSL service for JUNOScript and only use Netconf, which makes use of SSH, to make configuration changes.
    • Limit access to J-Web and XNM-SSL from only trusted networks.
  • ScreenOS: A temporary workaround for the server side of ScreenOS you can disable the HTTPS web user interface and the WebAuth feature. If you disable the HTTPS user interface you would be required to do configuration management over command line (SSH). The command to disable SSL is the following: unset ssl enable

Implementation:

Software releases or updates are available for download at https://www.juniper.net/support/downloads/

Modification History:
Modification History:

2015-04-08: Initial release.
2015-05-20: Included Junos resolution releases. Updated CTPOS resolution.
2015-08-13: Included ScreenOS resolution and updated status of Junos with available resolution releases.
2015-10-15: Added missing reference to fix in Junos OS 12.3R10.
2015-10-21: Fixed broken links.
2015-12-28: Updated ScreenOS solution version from 6.3.0r20 to 6.3.0r21 and subsequent releases.
2017-03-05: Category restructure.

Related Links:
CVSS Score:
5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Severity Level:
Medium
Severity Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."
Acknowledgements: