Knowledge Search


×
 

2018-10 Security Bulletin: Junos OS: Denial of Service in J-Web (CVE-2018-0062)

  [JSA10897] Show Article Properties


Product Affected:
This issue affects Junos OS 12.1X46, 12.3, 12.3X48, 15.1, 15.1F6, 15.1X49, 15.1X53, 16.1, 16.2, 17.1, 17.2, 17.3.
Problem:
A Denial of Service vulnerability in J-Web service may allow a remote unauthenticated user to cause Denial of Service which may prevent other users to authenticate or to perform J-Web operations.

Affected releases are Juniper Networks Junos OS:
  • 12.1X46 versions prior to 12.1X46-D77 on SRX Series;
  • 12.3 versions prior to 12.3R12-S10;
  • 12.3X48 versions prior to 12.3X48-D60 on SRX Series;
  • 15.1 versions prior to 15.1R7;
  • 15.1F6;
  • 15.1X49 versions prior to 15.1X49-D120 on SRX Series;
  • 15.1X53 versions prior to 15.1X53-D59 on EX2300/EX3400 Series;
  • 15.1X53 versions prior to 15.1X53-D67 on QFX10K Series;
  • 15.1X53 versions prior to 15.1X53-D234 on QFX5200/QFX5110 Series;
  • 15.1X53 versions prior to 15.1X53-D470, 15.1X53-D495 on NFX Series;
  • 16.1 versions prior to 16.1R6;
  • 16.2 versions prior to 16.2R2-S6, 16.2R3;
  • 17.1 versions prior to 17.1R2-S6, 17.1R3;
  • 17.2 versions prior to 17.2R3;
  • 17.3 versions prior to 17.3R2.

No other Juniper Networks products or platforms are affected by this issue.

The examples of the config stanza affected by this issue:
system services web-management http
system services web-management https


Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

This issue was discovered during an external security research.

This issue has been assigned CVE-2018-0062.
Solution:

The following software releases have been updated to resolve this specific issue: 12.1X46-D77, 12.3R12-S10,12.3X48-D60, 15.1R7, 15.1X49-D120, 15.1X53-D234, 15.1X53-D470, 15.1X53-D495, 15.1X53-D59, 15.1X53-D67, 16.1R6, 16.2R2-S6, 16.2R3, 17.1R2-S6, 17.1R3, 17.2R3, 17.3R2, 17.4R1 and all subsequent releases.

This issue is being tracked as PR 1264695 which is visible on the Customer Support website.

Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of Engineering (EOE) or End of Life (EOL).

Workaround:

Limit access to J-Web from only trusted hosts, networks and administrators.

Implementation:
Software Releases, patches and updates are available at https://www.juniper.net/support/downloads/.
Modification History:
‚Äč2018-10-10: Initial publication

Related Links:
CVSS Score:
5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Risk Level:
Medium
Acknowledgements:
The Juniper SIRT would like to would like to acknowledge and thank Alex Chash from SecureCom Limited.