Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

2020-04 Security Bulletin: Juniper Secure Analytics (JSA): Multiple vulnerabilities resolved in JSA 7.3.2 Patch 5, and 7.3.3 Patch 1 FixPack 1

0

0

Article ID: JSA11007 SECURITY_ADVISORIES Last Updated: 08 Apr 2020Version: 2.0
Product Affected:
These issues affect Juniper Secure Analytics (JSA) 7.3.2 , 7.3.3.
Problem:
Multiple vulnerabilities have been resolved in the Juniper Secure Analytics (JSA) 7.3.2 Patch 5, and 7.3.3 Patch 1 FixPack 1 by fixing vulnerabilities in the Linux kernel in addition to other software components.

Juniper SIRT is not aware of any malicious exploitation of these vulnerabilities.

These issues were discovered during an external security research.

The important security issues resolved include:

 
CVE CVSS Summary
CVE-2018-0732 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2-1.0.2o).
CVE-2018-0739 6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. Fixed in OpenSSL 1.1.0h (Affected 1.1.0-1.1.0g). Fixed in OpenSSL 1.0.2o (Affected 1.0.2b-1.0.2n).
CVE-2018-1139 8.1 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) A flaw was found in the way samba before 4.7.9 and 4.8.4 allowed the use of weak NTLMv1 authentication even when NTLMv1 was explicitly disabled. A man-in-the-middle attacker could use this flaw to read the credential and other details passed between the samba server and client.
CVE-2018-10858 8.8 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) A heap-buffer overflow was found in the way samba clients processed extra long filename in a directory listing. A malicious samba server could use this flaw to cause arbitrary code execution on a samba client. Samba versions before 4.6.16, 4.7.9 and 4.8.4 are vulnerable.
CVE-2018-11237 7.8 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) An AVX-512-optimized implementation of the mempcpy function in the GNU C Library (aka glibc or libc6) 2.27 and earlier may write data beyond the target buffer, leading to a buffer overflow in __mempcpy_avx512_no_vzeroupper.
CVE-2018-11784 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice.
CVE-2018-12126 5.6 (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N) Microarchitectural Store Buffer Data Sampling (MSBDS): Store buffers on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-guidance_05132019.pdf
CVE-2018-12130 5.6 (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N) Microarchitectural Fill Buffer Data Sampling (MFBDS): Fill buffers on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-guidance_05132019.pdf
CVE-2019-1559 5.9 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).
CVE-2019-4454 3.5 AV:N/AC:M/Au:S/C:N/I:P/A:N The software is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVE-2019-4470 3.5 AV:N/AC:M/Au:S/C:N/I:P/A:N The software is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVE-2019-4509 4.0 AV:N/AC:L/Au:S/C:P/I:N/A:N The software is vulnerable to incorrect authorization in some components which could allow an authenticated user to obtain sensitive information.
CVE-2019-4556 4.0 AV:N/AC:L/Au:S/C:N/I:P/A:N The software uses incomplete blacklisting for input validation which allows attackers to bypass application controls resulting in direct impact to the system and data integrity.
CVE-2019-4559 5.0 AV:N/AC:L/Au:N/C:P/I:N/A:N The software discloses sensitive information to unauthorized users. The information can be used to mount further attacks on the system.
CVE-2019-4581 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N The software is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVE-2019-10173 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285)
CVE-2019-11091 5.6 (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N) Microarchitectural Data Sampling Uncacheable Memory (MDSUM): Uncacheable memory on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-guidance_05132019.pdf
CVE-2019-11477 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) The Linux Kernel is vulnerable to a denial of service, caused by an integer overflow when processing TCP Selective Acknowledgement (SACK) capabilities. By sending specially-crafted SACKs requests, a remote attacker could exploit this vulnerability to cause a kernel panic condition.
CVE-2019-11478 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) The Linux Kernel is vulnerable to a denial of service, caused by an issue with fragmenting the TCP retransmission queue when processing TCP Selective Acknowledgement (SACK) capabilities. By sending specially-crafted SACKs requests, a remote attacker could exploit this vulnerability to cause an excess of system resource usage.
CVE-2019-11479 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) The Linux Kernel is vulnerable to a denial of service, caused by a flaw when processing minimum segment size (MSS). By sending specially-crafted MSS traffic, a remote attacker could exploit this vulnerability to cause excess usage of system resources.

 

Solution:

The issues listed above have been resolved in JSA: 7.3.2 Patch 5, 7.3.3 Patch 1 FixPack 1, and all subsequent releases.

Theses issues are being tracked as 1425257, 1425259, 1425262, 1425267, 1465154, 1479984, 1479985, 1479988, 1479989, 1479990, 1479996, 1480043, 1483055 and 1483059.

Workaround:
There are no known workarounds for these issues.
Implementation:
Software release Service Packages are available at http://support.juniper.net from the "Download Software" links.
Modification History:
‚Äč2020-04-08: Initial publication
CVSS Score:
9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Severity Level:
Critical
Severity Assessment:
9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search