Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

In which releases are vulnerabilities fixed?

0

0

Article ID: KB16765 KB Last Updated: 22 Jul 2014Version: 4.0
Summary:
To what releases will Juniper Networks apply fixes to resolve security vulnerabilities?
Symptoms:

Cause:
 
Solution:
Juniper Networks applies fixes for product security vulnerabilities to all actively supported releases of software for the product or platform affected, based on the CVSS score of the vulnerability.

The Common Vulnerability Scoring System (CVSS) is the primary tool Juniper Networks uses to determine which software releases receive fixes for vulnerabilities. As a normal practice, all security fixes are applied to the currently active releases. In general, if a CVSS Base score is 3 or higher, the security fix will be applied to all releases which have not yet reached End of Engineering (EOE).

It is not the standard practice of Juniper Networks to apply security fixes to releases which are beyond End of Engineering (EOE) or End of Life (EOL).

Please refer to these pages for the official Juniper Networks policies and timetables for End of Engineering (EOE), End of Life (EOL), and Extended End of Life (EEOL).

These statements above are guidelines and not exact rules. There are many factors that can affect the decision as to which releases will be selected to receive fixes for vulnerabilities, especially when considering border cases involving EOL and EOE releases. For example, backporting vulnerability fixes into older releases may require a significant development effort nearly equivalent to producing a new release, and is simply not feasible or pragmatic in the face of a low-risk threat. In other circumstances, backporting a fix may be a straightforward exercise and may be justified due to a greater risk posed by the specific vulnerability. The Juniper Networks SIRT welcomes any input from customers, the network security community, and the public that improves our ability to determine which End of Life and End of Engineering releases will be fixed to resolve specific vulnerabilities.

Questions and concerns can be sent to the Juniper Networks Security Incident Response Team (SIRT) via E-mail at sirt@juniper.net.
Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search