Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

 2014-08 Security Bulletin: Juniper Secure Analytics (JSA)/Security Threat
        Response Manager (STRM): Multiple vulnerabilities resolved
                     by third party software upgrades.
                              14 August 2014


        AusCERT Security Bulletin Summary

Product:           Juniper Secure Analytics (JSA)
                   Juniper Security Threat Response Manager (STRM)
Publisher:         Juniper Networks
Operating System:  Juniper
Impact/Access:     Access Privileged Data          -- Remote/Unauthenticated
                   Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
                   Unauthorised Access             -- Remote/Unauthenticated
                   Increased Privileges            -- Remote/Unauthenticated
                   Reduced Security                -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-0411 CVE-2014-0224 CVE-2014-0198
                   CVE-2014-0114 CVE-2014-0107 CVE-2014-0098
                   CVE-2014-0067 CVE-2014-0066 CVE-2014-0065
                   CVE-2014-0064 CVE-2014-0063 CVE-2014-0062
                   CVE-2014-0061 CVE-2014-0060 CVE-2014-0033
                   CVE-2014-006 CVE-2013-4590 CVE-2013-4322
                   CVE-2013-4286 CVE-2010-5298 

Reference:         ASB-2014.0092

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

2014-08 Security Bulletin: Juniper Secure Analytics (JSA)/Security Threat 
Response Manager (STRM): Multiple vulnerabilities resolved by third party 
software upgrades.





    STRM Series

    STRM 500



    JSA Series



Security Advisories ID: JSA10643

Last Updated: 13 Aug 2014

Version: 2.0

Product Affected: JSA series devices or virtual machines with JSA software 
releases: 2013.2, 2014.1, 2014.2 and STRM series devices or virtual machines 
with STRM software releases: 2012.1, 2013.1, 2013.2


Multiple vulnerabilities in Juniper Secure Analytics (JSA) and Security Threat
Response Manager (STRM) software have been resolved with updated third party 
software components.

CVE-2014-0411 A TLS timing vulnerability in IBM Runtime Environment, Java 
Technology Edition, Version 6 and 7 affects STRM/JSA 2013.2 releases prior to
2013.2R7. This may allow remote attackers to obtain sensitive information 
about encryption keys via a timing discrepancy during the TLS/SSL handshake. 
STRM/JSA 2014.2 and later releases do not have this problem.

CVE 		CVSS v2 base score			Type of issue

CVE-2014-0411 	4.0 (AV:N/AC:H/Au:N/C:P/I:P/A:N) 	Java: encryption key 
disclosure via a timing discrepancy during the TLS/SSL handshake

CVE-2014-0114 	A ClassLoader manipulation vulnerability in Apache Struts 
affects STRM/JSA 2012.1 releases prior to 2012.1R7 and 2013.2 releases prior 
to 2013.2R8. This may allow a remote attacker to execute arbitrary code on the
system. STRM/JSA 2014.2 and later releases do not have this problem.

CVE-2014-0114 	7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 	Apache Struts: 
ClassLoader manipulation vulnerability

STRM/JSA 2013.2 releases prior to 2013.2R8 and 2014.2R2 are affected by the 
following Apache Tomcat and Apache Xalan-Java vulnerabilities:

CVE-2013-4590 	4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)	Apache Tomcat: 
XML External Entitee resolution vulnerability

CVE-2013-4286 	5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N) 	Apache Tomcat: Improper 
validation of HTTP request headers

CVE-2013-4322 	4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)	Apache Tomcat: DoS 
while processing chunked transfer coding

CVE-2014-0033 	4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)	Apache Tomcat: session 
fixation vulnerability

CVE-2014-0107 	7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 	Apache Xalan-Java: 
improper Access restrictions vulnerability

STRM 2012.1 releases prior to 2012.1R8 are affected by the following 
PostgreSQL vulnerabilities:

CVE-2014-0060 	4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N) 	PostgreSQL: privilege 
escalation vulnerability

CVE-2014-0061 	6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P) 	PostgreSQL: privilege 
escalation vulnerability

CVE-2014-0062 	4.9 (AV:N/AC:M/Au:S/C:P/I:P/A:N) 	PostgreSQL: race 
condition vulnerability

CVE-2014-0063 	6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P) 	PostgreSQL: 
stack-based buffer overflow vulnerability

CVE-2014-0064 	6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P) 	PostgreSQL: integer 
overflow vulnerability

CVE-2014-0065 	6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P) 	PostgreSQL: buffer 
overflow vulnerability

CVE-2014-0066 	4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P) 	PostgreSQL: a denial of
service vulnerability

CVE-2014-0067 	4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P) 	PostgreSQL: privilege 
escalation vulnerability

STRM 2012.1 releases prior to 2012.1R8, STRM/JSA 2013.2 releases prior to 
2013.2R8 and JSA 2014.2R2 are vulnerable to the following Apache and OpenSSL 

CVE-2014-0098 	5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 	Apache HTTP Server: 
denial of service

CVE-2014-0224 	6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 	OpenSSL: 
ChangeCipherSpec injection

CVE-2014-0198 	4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 	OpenSSL: 
SSL_MODE_RELEASE_BUFFERS NULL pointer dereference denial of service

CVE-2010-5298 	4.0 (AV:N/AC:H/Au:N/C:N/I:P/A:P) 	OpenSSL: 
SSL_MODE_RELEASE_BUFFERS session injection or denial of service


JSA 2012.1R8, 2013.2R8, 2014.2R3 or later releases completely resolve all the
vulnerabilities mentioned above.


JSA 2013.2R8 and 2014.2R3 or later releases resolve CVE-2014-0098, 
CVE-2014-0224, CVE-2014-0198, CVE-2010-5298, CVE-2013-4286, CVE-2014-0033, 
CVE-2013-4322, CVE-2013-4590, CVE-2014-0107.

JSA 2012.1R8 or later releases resolve CVE-2014-0098, CVE-2014-0224, 
CVE-2014-0198, CVE-2010-5298, CVE-2014-0066, CVE-2014-0063, CVE-2014-0064, 
CVE-2014-0067, CVE-2014-0065, CVE-2014-0062, CVE-2014-0061, CVE-2014-006.

2013.2R7 or later releases resolve CVE-2014-0114, CVE-2014-0411.

2012.1R7 or later releases resolve CVE-2014-0411.


Use access lists or firewall filters to limit access to the JSA/STRM device 
only from trusted hosts.


How to obtain fixed software:

JSA and STRM Software Releases are available at 

Related Links:

KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin 
Publication Process

KB16765: In which releases are vulnerabilities fixed?

KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security

Report a Security Vulnerability - How to Contact the Juniper Networks 
Security Incident Response Team

CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Risk Level: High

Risk Assessment: Apache Struts vulnerability CVE-2014-0114 has the highest 
CVSS v2 base score of 7.5 in this advisory.


- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967