2018-01 Security Bulletin: Junos Space Security Director and Log Collector: Multiple vulnerabilities resolved in 17.2R1 release

  [JSA10840] Show Article Properties

Product Affected:
Security Director and Log Collector prior to 17.2R1

Multiple vulnerabilities have been resolved in Security Director and Log Collector 17.2R1 release by updating third party software included with Security Director and Log Collector or by fixing vulnerabilities found during internal testing.

Important security issues resolved as a result of these upgrades include:

CVE CVSS Summary
CVE-2015-5600 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) OpenSSH: Log Collector​: sshd daemon did not check the list of keyboard-interactive authentication methods for duplicates.
CVE-2015-6563 6.4 (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H) OpenSSH: Log Collector: a flaw was found in the way OpenSSH handled PAM authentication when using privilege separation.
CVE-2015-6564 4.8 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N) OpenSSH: Log Collector: a use-after-free flaw was found in OpenSSH.
CVE-2018-0010 6.4 (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N) A vulnerability in the Security Director allows a user who does not have SSH access to a device to reuse the URL that was created for another user to perform SSH access.



These issues are resolved in the Security Director and Log Collector 17.2R1 and subsequent releases.
These issues are being tracked as 1309875 and 1290124 which are visible on the Customer Support website.


There are no viable workarounds for these issues.

Software Releases, patches and updates are available at https://www.juniper.net/support/downloads/.
Modification History:
2018-01-10: Initial Publication.
Related Links:
CVSS Score:
6.4 (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)
Severity Level:
Severity Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."