-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.1385
       2014-08 Security Bulletin: Network and Security Manager NSM:
                         Multiple vulnerabilities
                              14 August 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Juniper Network and Security Manager
Publisher:         Juniper Networks
Operating System:  Network Appliance
                   Linux variants
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Access Privileged Data          -- Remote/Unauthenticated
                   Modify Arbitrary Files          -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
                   Access Confidential Data        -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-0460 CVE-2014-0453 CVE-2014-0423
                   CVE-2014-0411 CVE-2013-5830 CVE-2013-5825
                   CVE-2013-5823 CVE-2013-5803 CVE-2013-5802
                   CVE-2013-5780 CVE-2013-4002 CVE-2013-2461
                   CVE-2013-2457 CVE-2013-2451 CVE-2013-2407
                   CVE-2013-1537 CVE-2013-0443 CVE-2013-0440
                   CVE-2013-0169 CVE-2012-5081 CVE-2012-0053
                   CVE-2012-0031 CVE-2011-3368 CVE-2011-3192
                   CVE-2011-0419  

Reference:         ASB-2014.0077
                   ASB-2014.0063
                   ESB-2011.0668
                   ESB-2011.0583
                   ESB-2011.0552
                   ESB-2011.0524.2
                   ESB-2011.0523

Original Bulletin: 
   http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10642

- --------------------------BEGIN INCLUDED TEXT--------------------

2014-08 Security Bulletin: Network and Security Manager NSM: Multiple 
vulnerabilities
	
Categories: 	

    NSMXpress
    NSM
    NSM3000
    SIRT Advisory

Security Advisories ID: 	JSA10642
Last Updated: 			13 Aug 2014	
Version: 			2.0

Product Affected:
NSM3000 and NSMExpress with NSM release 2012.2 and NSM software release 2012.2

Problem:

NSM release 2012.2R9 addresses vulnerabilities in prior releases with updated 
Java Runtime Environment. Oracle Java runtime 1.6.0 update_34 was upgraded to 
1.7.0 update_51 which fixes a number of critical vulnerabilities that affect 
server side Java as used in NSM:

CVE 		CVSS v2 base score 			Summary

CVE-2012-5081 	5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 	Vulnerability in JSSE

CVE-2013-0169 	2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N) 	Vulnerability in TLS 
							aka the "Lucky 
							Thirteen" issue

CVE-2013-0440 	5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 	Vulnerability in JSSE

CVE-2013-0443 	4.0 (AV:N/AC:H/Au:N/C:P/I:P/A:N) 	Vulnerability in JSSE

CVE-2013-1537 	10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 	Vulnerability in RMI

CVE-2013-2407 	6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P) 	Vulnerability in Java 
							libraries

CVE-2013-2451 	3.7 (AV:L/AC:H/Au:N/C:P/I:P/A:P) 	Vulnerability in 
							Networking

CVE-2013-2457 	5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 	Vulnerability in JMX

CVE-2013-2461 	7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 	Vulnerability in Java 
							libraries

CVE-2013-4002 	7.1 (AV:N/AC:M/Au:N/C:N/I:N/A:C) 	DoS vulnerability

CVE-2013-5780 	4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 	Vulnerability in Java 
							libraries

CVE-2013-5802 	7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 	Vulnerability in JAXP

CVE-2013-5803 	2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 	Vulnerability in JGSS

CVE-2013-5823 	5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 	Vulnerability in Java 
							security component

CVE-2013-5825 	5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 	Vulnerability in JAXP

CVE-2013-5830 	10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 	Vulnerability in Java 
							libraries

CVE-2014-0411 	4.0 (AV:N/AC:H/Au:N/C:P/I:P/A:N) 	Vulnerability in JSSE

CVE-2014-0423 	5.5 (AV:N/AC:L/Au:S/C:P/I:N/A:P) 	Vulnerability in Java 
							Beans

CVE-2014-0453 	4.0 (AV:N/AC:H/Au:N/C:P/I:P/A:N) 	Vulnerability in Java 
							security component

CVE-2014-0460 	5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N) 	Vulnerability in JNDI


NSM Appliance Generic Offline Upgrade Package v1 for CentOS 5.x addresses 
following vulnerabilities in Apache HTTP server and Apache Runtime Environment:

CVE 		CVSS v2 base score 			Summary

CVE-2012-0031 	4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P) 	Apache HTTP server 
							denial of service 
							related to scoreboard

CVE-2012-0053 	4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 	HTTP-only cookie 
							disclosure 
							vulnerability

CVE-2011-3368 	5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 	Access restriction 
							bypass vulnerability in
							mod_proxy module

CVE-2011-3192 	7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 	Remote denial of 
							service vulnerability

CVE-2011-0419 	4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 	Remote denial of 
							service vulnerability 
							in APR

Solution:

Vulnerabilities in Java are fixed in NSM 2012.2R9 released August 12, 2014 and
all subsequent releases.

Vulnerabilities in Apache are resolved by applying "NSM Appliance Generic 
Offline Upgrade Package for CentOS 5.x " v1 or later.

Workaround:
Use access lists or firewall filters to limit access to the NSM server only 
from trusted hosts.

Implementation:
How to obtain fixed software: NSM Maintenance Releases are available at 
http://www.juniper.net/support/downloads/?p=nsm#sw.

Related Links:

    KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin 
    Publication Process

    KB16765: In which releases are vulnerabilities fixed?

    KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security
    Advisories

    Report a Security Vulnerability - How to Contact the Juniper Networks 
    Security Incident Response Team

CVSS Score:
10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

Risk Level:
High

Risk Assessment:
Java vulnerability CVE-2013-5830 has the highest CVSS v2 base score of 10.0 in 
this advisory.

Acknowledgements:

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBU+w4WhLndAQH1ShLAQJspg//Qkg5E/ZFjr8xNvLcLLQQbMM7U/cRnJU7
eD8KiEPfgwcESRhJrf+sHuguSFDj1ElH2G6Qv0OIepwWNSykgyUqJoG+0N9W1P+B
pkwMdeghqIkqyeCuq8Re15pKaid0nwZdETagD1LFWLbxrLTVkgDtMYSL5NblZ9LD
SdzLQpC0EYcjka5/f7n8qcjYusAWxSSz5eDn+5ccoHfaa/xzDyiBdrsGK3ARKMg1
U5+SSfjjbGpgyUBji1dNIwBqd2+Mqzj4WUx+Egfigqr6YfzmIDNvjHDSq6NcpkqE
TYqsYBrzy+Mx4L8e7xUz3OxV8/2lXuiZBt/dA439BHVF/zdPPgzjkDZZMYm1FN+0
zBAPQTbih93G9NRExZ4mUs9sn8WsdW0dGQ/sLpkdH52XYIU18kYUbISJRBD771Vz
p0hWfpQEvx9EXWI5kefWG4oUxf7D5Ody1VHiRC6CYYHsH/+7VK7+wu4i3v1jVGsX
1jAfWrJ8mKVOpfgvfD8M0x8xhQwoit9+BP0LhY9QWCyunAS0IrxvmXS76P2qrTBT
/Bggjp70dN+/+GXBkWYAbaVBiQsXdg/nzNmLjOW9dx5dkiGk1VCjuO35utJZirpJ
M4nSXVPY5cu2z+eRc8zA7YuszFEqaSLgNySMSJX7Znl4IiVaTx6eScJZc03nb2/J
dauMGUmLwgM=
=AHw9
-----END PGP SIGNATURE-----