Knowledge Search


×
 

2019-10 Security Bulletin: Junos OS: Persistent XSS vulnerability in J-Web (CVE-2019-0047)

  [JSA10970] Show Article Properties


Product Affected:
This issue affects Junos OS 12.1X46, 12.3, 12.3X48, 14.1X53, 15.1, 15.1X49, 15.1X53, 16.1, 16.2, 17.1, 17.2, 17.3, 17.4, 18.1, 18.2, 18.3, 18.4.
Problem:

A persistent Cross-Site Scripting (XSS) vulnerability in Junos OS J-Web interface may allow remote unauthenticated attackers to perform administrative actions on the Junos device. Successful exploitation requires a Junos administrator to first perform certain diagnostic actions on J-Web.

This issue affects:

Juniper Networks Junos OS 12.1X46 versions prior to 12.1X46-D86;

12.3 versions prior to 12.3R12-S13;

12.3X48 versions prior to 12.3X48-D80;

14.1X53 versions prior to 14.1X53-D51;

15.1 versions prior to 15.1F6-S13, 15.1R7-S4;

15.1X49 versions prior to 15.1X49-D171, 15.1X49-D180;

15.1X53 versions prior to 15.1X53-D497, 15.1X53-D69;

16.1 versions prior to 16.1R7-S5;

16.2 versions prior to 16.2R2-S9;

17.1 versions prior to 17.1R3;

17.2 versions prior to 17.2R1-S8, 17.2R2-S7, 17.2R3-S1;

17.3 versions prior to 17.3R3-S6;

17.4 versions prior to 17.4R1-S7, 17.4R2-S4, 17.4R3;

18.1 versions prior to 18.1R3-S5;

18.2 versions prior to 18.2R1-S5, 18.2R2-S3, 18.2R3;

18.3 versions prior to 18.3R1-S3, 18.3R2, 18.3R3;

18.4 versions prior to 18.4R1-S2, 18.4R2.

Successful exploitation require J-Web to be enabled on the device.

The examples of the config stanza affected by this issue:

system services web-management http
system services web-management https

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

This issue was discovered during an external security research.

This issue has been assigned CVE-2019-0047.

Solution:

The following software releases have been updated to resolve this specific issue: 12.1X46-D86, 12.3R12-S13, 12.3X48-D80, 14.1X53-D51, 15.1F6-S13, 15.1R7-S4, 15.1X49-D171, 15.1X49-D180, 15.1X53-D497, 15.1X53-D69, 16.1R7-S5, 16.2R2-S9, 17.1R3, 17.2R1-S8, 17.2R2-S7, 17.2R3-S1, 17.3R3-S6, 17.4R1-S7, 17.4R2-S4, 17.4R3, 18.1R3-S5, 18.2R1-S5, 18.2R2-S3, 18.2R3, 18.3R1-S3, 18.3R2, 18.4R1-S2, 18.4R2, 19.1R1, and all subsequent releases.

This issue is being tracked as PR 1410400 which is visible on the Customer Support website.

Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of Engineering (EOE) or End of Life (EOL).

Workaround:
Disable J-Web.

Limit access to the Junos device to only trusted hosts and networks.

Implementation:
Software Releases, patches and updates are available at https://www.juniper.net/support/downloads/.
Modification History:
2019-10-09: Initial Publication.
Related Links:
CVSS Score:
8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
Severity Level:
High
Severity Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."
Acknowledgements:
The Juniper SIRT would like to would like to acknowledge and thank Farid Heydari for finding and reporting this issue.