Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

2015-10 Security Bulletin: Junos Space: Multiple Vulnerabilities in Junos Space

0

0

Article ID: JSA10698 SECURITY_ADVISORIES Last Updated: 07 Sep 2016Version: 2.0
Product Affected:
​Junos Space releases prior to 15.1R1
Problem:

​Multiple vulnerabilities have been addressed in Junos Space 15.1R1 release.

These include cross site scripting (XSS), SQL injection and command injection vulnerabilities. These vulnerabilities may potentially allow a remote unauthenticated network based attacker with access to Junos Space to execute arbitrary code on Junos Space. These vulnerabilities were found during internal product testing. These issues have been assigned CVE-2015-7753.

OpenJDK runtime was upgraded to 1.7.0 update_79 which resolves:

CVE CVSS v2 base score Summary
CVE-2014-0429 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) Vulnerability in Java 2D.
CVE-2014-0456 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) Vulnerability in Java Hotspot.
CVE-2014-0460 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N) Vulnerability in JNDI.
CVE-2014-0453 4.0 (AV:N/AC:H/Au:N/C:P/I:P/A:N) Vulnerability in Java Security.

Following vulnerability was resolved in OpenNMS software included with Junos Space:

CVE CVSS v2 base score Summary
CVE-2015-0975​ 6.5 ​(CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) OpenNMS Authenticated XXE

​​​KVM Package​ was upgraded to kvm-83-273.el5.centos.x86_64.rpm which resolves the following vulnerability:

CVE CVSS v2 base score Summary
CVE-2015-3209 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) Heap-based buffer overflow vulnerability in the PCNET controller in QEMU.

Mozilla NSS Package​ was upgraded to nss-3.18.0-6.el5_11 which resolves the following vulnerability:

CVE CVSS v2 base score Summary
CVE-2014-1568 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) NSS does not properly parse ASN.1 values in X.509 certificates, which makes it easier for remote attackers to spoof RSA signatures.

Apache HTTP Server was upgraded to 2.2.31 resolving the following issues:

CVE CVSS v2 base score Summary
CVE-2013-2249 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) Vulnerability in Apache mod_session_dbd module.
CVE-2013-6438 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) Denial of service in Apache mod_dav module.
CVE-2014-0098 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) Denial of service in Apache mod_log_config module.

MySQL was upgraded to 5.6.23 which resolves the following vulnerabilities that may pose a risk to MySQL as used in Junos Space:​

CVE CVSS v2 base score Summary
CVE-2014-6491 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) Vulnerability in MySQL Server related to SERVER:SSL:yaSSL.
CVE-2014-6500 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) Vulnerability in MySQL Server related to SERVER:SSL:yaSSL.
CVE-2015-0501 5.7 (AV:N/AC:M/Au:M/C:N/I:N/A:C) Vulnerability in MySQL Server related to Server : Compiling.
CVE-2014-6478 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) Vulnerability in MySQL Server related to SERVER:SSL:yaSSL.
CVE-2014-6494 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) Vulnerability in MySQL Server related to CLIENT:SSL:yaSSL.
CVE-2014-6495 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) Vulnerability in MySQL Server related to SERVER:SSL:yaSSL.
CVE-2014-6496 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) Vulnerability in MySQL Server related to CLIENT:SSL:yaSSL.
CVE-2014-6559 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) Vulnerability in MySQL Server related to C API SSL CERTIFICATE HANDLING.
CVE-2015-2620 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) Vulnerability in MySQL Server related to Server : Security : Privileges.
CVE-2013-5908 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) Vulnerability in MySQL Server related to Error Handling.


Solution:
The following software releases have been updated to resolve these issues: Junos Space 15.1R1, and all subsequent releases.

​CVE-2015-0975​ is being tracked as PR 1060097.

CVE-2015-3209​ is being tracked as PR ​1067419.​​

OpenJDK JRE upgrade is being tracked as PR 987​851.

Apache upgrade is being tracked as PR 987853.

MySQL upgrade is being tracked as PR 987852.

These PRs are visible on the Customer Support website.​

KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies.​​


Workaround:
As a workaround, use access lists or firewall filters to limit access to the device, so that it can only be accessed from trusted hosts which are restricted from accessing potentially hazardous sites and services. Restrict access to only highly trusted administrators.

To mitigate XSS vulnerabilities with Junos Space use a dedicated client and dedicated web browser that is not used to access other sites.
Implementation:
How to obtain fixed software:
Junos Space Releases are available at http://www.juniper.net/support/downloads/?p=space#sw.

Modification History:
Modification History:

2015-10-14: Initial publication
2016-09-07: Corrected the name of Java Runtime Environment used by Junos Space.


CVSS Score:
10 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Severity Level:
Critical
Severity Assessment:
Information for how Juniper Networks uses CVSS can be found at KB16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories"
Acknowledgements:

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search