Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

2018-01 Security Bulletin: Junos Space Security Director and Log Collector: Multiple vulnerabilities resolved in 17.2R1 release

0

0

Article ID: JSA10840 SECURITY_ADVISORIES Last Updated: 10 Jan 2018Version: 6.0
Product Affected:
Security Director and Log Collector prior to 17.2R1
Problem:

Multiple vulnerabilities have been resolved in Security Director and Log Collector 17.2R1 release by updating third party software included with Security Director and Log Collector or by fixing vulnerabilities found during internal testing.

Important security issues resolved as a result of these upgrades include:

CVE CVSS Summary
CVE-2015-5600 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) OpenSSH: Log Collector​: sshd daemon did not check the list of keyboard-interactive authentication methods for duplicates.
CVE-2015-6563 6.4 (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H) OpenSSH: Log Collector: a flaw was found in the way OpenSSH handled PAM authentication when using privilege separation.
CVE-2015-6564 4.8 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N) OpenSSH: Log Collector: a use-after-free flaw was found in OpenSSH.
CVE-2018-0010 6.4 (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N) A vulnerability in the Security Director allows a user who does not have SSH access to a device to reuse the URL that was created for another user to perform SSH access.

 

Solution:

These issues are resolved in the Security Director and Log Collector 17.2R1 and subsequent releases.
These issues are being tracked as 1309875 and 1290124 which are visible on the Customer Support website.

Workaround:

There are no viable workarounds for these issues.

Implementation:
Software Releases, patches and updates are available at https://www.juniper.net/support/downloads/.
Modification History:
2018-01-10: Initial Publication.
CVSS Score:
6.4 (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)
Severity Level:
Medium
Severity Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."

Related Links

Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search