Knowledge Search


×
 

2015-10 Security Bulletin: Junos Space: Multiple Vulnerabilities in Junos Space

  [JSA10698] Show Article Properties


Product Affected:
​Junos Space releases prior to 15.1R1
Problem:

​Multiple vulnerabilities have been addressed in Junos Space 15.1R1 release.

These include cross site scripting (XSS), SQL injection and command injection vulnerabilities. These vulnerabilities may potentially allow a remote unauthenticated network based attacker with access to Junos Space to execute arbitrary code on Junos Space. These vulnerabilities were found during internal product testing. These issues have been assigned CVE-2015-7753.

OpenJDK runtime was upgraded to 1.7.0 update_79 which resolves:

CVE CVSS v2 base score Summary
CVE-2014-0429 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) Vulnerability in Java 2D.
CVE-2014-0456 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) Vulnerability in Java Hotspot.
CVE-2014-0460 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N) Vulnerability in JNDI.
CVE-2014-0453 4.0 (AV:N/AC:H/Au:N/C:P/I:P/A:N) Vulnerability in Java Security.

Following vulnerability was resolved in OpenNMS software included with Junos Space:

CVE CVSS v2 base score Summary
CVE-2015-0975​ 6.5 ​(CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) OpenNMS Authenticated XXE

​​​KVM Package​ was upgraded to kvm-83-273.el5.centos.x86_64.rpm which resolves the following vulnerability:

CVE CVSS v2 base score Summary
CVE-2015-3209 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) Heap-based buffer overflow vulnerability in the PCNET controller in QEMU.

Mozilla NSS Package​ was upgraded to nss-3.18.0-6.el5_11 which resolves the following vulnerability:

CVE CVSS v2 base score Summary
CVE-2014-1568 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) NSS does not properly parse ASN.1 values in X.509 certificates, which makes it easier for remote attackers to spoof RSA signatures.

Apache HTTP Server was upgraded to 2.2.31 resolving the following issues:

CVE CVSS v2 base score Summary
CVE-2013-2249 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) Vulnerability in Apache mod_session_dbd module.
CVE-2013-6438 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) Denial of service in Apache mod_dav module.
CVE-2014-0098 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) Denial of service in Apache mod_log_config module.

MySQL was upgraded to 5.6.23 which resolves the following vulnerabilities that may pose a risk to MySQL as used in Junos Space:​

CVE CVSS v2 base score Summary
CVE-2014-6491 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) Vulnerability in MySQL Server related to SERVER:SSL:yaSSL.
CVE-2014-6500 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) Vulnerability in MySQL Server related to SERVER:SSL:yaSSL.
CVE-2015-0501 5.7 (AV:N/AC:M/Au:M/C:N/I:N/A:C) Vulnerability in MySQL Server related to Server : Compiling.
CVE-2014-6478 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) Vulnerability in MySQL Server related to SERVER:SSL:yaSSL.
CVE-2014-6494 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) Vulnerability in MySQL Server related to CLIENT:SSL:yaSSL.
CVE-2014-6495 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) Vulnerability in MySQL Server related to SERVER:SSL:yaSSL.
CVE-2014-6496 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) Vulnerability in MySQL Server related to CLIENT:SSL:yaSSL.
CVE-2014-6559 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) Vulnerability in MySQL Server related to C API SSL CERTIFICATE HANDLING.
CVE-2015-2620 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) Vulnerability in MySQL Server related to Server : Security : Privileges.
CVE-2013-5908 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) Vulnerability in MySQL Server related to Error Handling.


Solution:
The following software releases have been updated to resolve these issues: Junos Space 15.1R1, and all subsequent releases.

​CVE-2015-0975​ is being tracked as PR 1060097.

CVE-2015-3209​ is being tracked as PR ​1067419.​​

OpenJDK JRE upgrade is being tracked as PR 987​851.

Apache upgrade is being tracked as PR 987853.

MySQL upgrade is being tracked as PR 987852.

These PRs are visible on the Customer Support website.​

KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies.​​


Workaround:
As a workaround, use access lists or firewall filters to limit access to the device, so that it can only be accessed from trusted hosts which are restricted from accessing potentially hazardous sites and services. Restrict access to only highly trusted administrators.

To mitigate XSS vulnerabilities with Junos Space use a dedicated client and dedicated web browser that is not used to access other sites.
Implementation:
How to obtain fixed software:
Junos Space Releases are available at http://www.juniper.net/support/downloads/?p=space#sw.

Modification History:
Modification History:

2015-10-14: Initial publication
2016-09-07: Corrected the name of Java Runtime Environment used by Junos Space.


Related Links:
CVSS Score:
10 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Risk Level:
Critical
Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories"
Acknowledgements: