Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2014.1386
2014-08 Security Bulletin: Juniper Secure Analytics (JSA)/Security Threat
Response Manager (STRM): Multiple vulnerabilities resolved
by third party software upgrades.
14 August 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Juniper Secure Analytics (JSA)
Juniper Security Threat Response Manager (STRM)
Publisher: Juniper Networks
Operating System: Juniper
Impact/Access: Access Privileged Data -- Remote/Unauthenticated
Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Increased Privileges -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2014-0411 CVE-2014-0224 CVE-2014-0198
CVE-2014-0114 CVE-2014-0107 CVE-2014-0098
CVE-2014-0067 CVE-2014-0066 CVE-2014-0065
CVE-2014-0064 CVE-2014-0063 CVE-2014-0062
CVE-2014-0061 CVE-2014-0060 CVE-2014-0033
CVE-2014-006 CVE-2013-4590 CVE-2013-4322
CVE-2013-4286 CVE-2010-5298
Reference: ASB-2014.0092
ASB-2014.0083
ASB-2014.0079
ASB-2014.0077
ESB-2014.0247
ESB-2014.0220
ESB-2014.0102
ESB-2014.0065
ESB-2014.0058
Original Bulletin:
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10643
- --------------------------BEGIN INCLUDED TEXT--------------------
2014-08 Security Bulletin: Juniper Secure Analytics (JSA)/Security Threat
Response Manager (STRM): Multiple vulnerabilities resolved by third party
software upgrades.
Categories:
STRM_2500_II
STRM_500_II
STRM_5000_II
STRM Series
STRM 500
STRM_2500
STRM_5000
JSA Series
JSA1500
JSA3500
Security Advisories ID: JSA10643
Last Updated: 13 Aug 2014
Version: 2.0
Product Affected: JSA series devices or virtual machines with JSA software
releases: 2013.2, 2014.1, 2014.2 and STRM series devices or virtual machines
with STRM software releases: 2012.1, 2013.1, 2013.2
Problem:
Multiple vulnerabilities in Juniper Secure Analytics (JSA) and Security Threat
Response Manager (STRM) software have been resolved with updated third party
software components.
CVE-2014-0411 A TLS timing vulnerability in IBM Runtime Environment, Java
Technology Edition, Version 6 and 7 affects STRM/JSA 2013.2 releases prior to
2013.2R7. This may allow remote attackers to obtain sensitive information
about encryption keys via a timing discrepancy during the TLS/SSL handshake.
STRM/JSA 2014.2 and later releases do not have this problem.
CVE CVSS v2 base score Type of issue
CVE-2014-0411 4.0 (AV:N/AC:H/Au:N/C:P/I:P/A:N) Java: encryption key
disclosure via a timing discrepancy during the TLS/SSL handshake
CVE-2014-0114 A ClassLoader manipulation vulnerability in Apache Struts
affects STRM/JSA 2012.1 releases prior to 2012.1R7 and 2013.2 releases prior
to 2013.2R8. This may allow a remote attacker to execute arbitrary code on the
system. STRM/JSA 2014.2 and later releases do not have this problem.
CVE-2014-0114 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) Apache Struts:
ClassLoader manipulation vulnerability
STRM/JSA 2013.2 releases prior to 2013.2R8 and 2014.2R2 are affected by the
following Apache Tomcat and Apache Xalan-Java vulnerabilities:
CVE-2013-4590 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) Apache Tomcat:
XML External Entitee resolution vulnerability
CVE-2013-4286 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N) Apache Tomcat: Improper
validation of HTTP request headers
CVE-2013-4322 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) Apache Tomcat: DoS
while processing chunked transfer coding
CVE-2014-0033 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) Apache Tomcat: session
fixation vulnerability
CVE-2014-0107 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) Apache Xalan-Java:
improper Access restrictions vulnerability
STRM 2012.1 releases prior to 2012.1R8 are affected by the following
PostgreSQL vulnerabilities:
CVE-2014-0060 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N) PostgreSQL: privilege
escalation vulnerability
CVE-2014-0061 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P) PostgreSQL: privilege
escalation vulnerability
CVE-2014-0062 4.9 (AV:N/AC:M/Au:S/C:P/I:P/A:N) PostgreSQL: race
condition vulnerability
CVE-2014-0063 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P) PostgreSQL:
stack-based buffer overflow vulnerability
CVE-2014-0064 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P) PostgreSQL: integer
overflow vulnerability
CVE-2014-0065 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P) PostgreSQL: buffer
overflow vulnerability
CVE-2014-0066 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P) PostgreSQL: a denial of
service vulnerability
CVE-2014-0067 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P) PostgreSQL: privilege
escalation vulnerability
STRM 2012.1 releases prior to 2012.1R8, STRM/JSA 2013.2 releases prior to
2013.2R8 and JSA 2014.2R2 are vulnerable to the following Apache and OpenSSL
vulnerabilities:
CVE-2014-0098 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) Apache HTTP Server:
denial of service
CVE-2014-0224 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) OpenSSL:
ChangeCipherSpec injection
CVE-2014-0198 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) OpenSSL:
SSL_MODE_RELEASE_BUFFERS NULL pointer dereference denial of service
CVE-2010-5298 4.0 (AV:N/AC:H/Au:N/C:N/I:P/A:P) OpenSSL:
SSL_MODE_RELEASE_BUFFERS session injection or denial of service
Solution:
JSA 2012.1R8, 2013.2R8, 2014.2R3 or later releases completely resolve all the
vulnerabilities mentioned above.
Specifically:
JSA 2013.2R8 and 2014.2R3 or later releases resolve CVE-2014-0098,
CVE-2014-0224, CVE-2014-0198, CVE-2010-5298, CVE-2013-4286, CVE-2014-0033,
CVE-2013-4322, CVE-2013-4590, CVE-2014-0107.
JSA 2012.1R8 or later releases resolve CVE-2014-0098, CVE-2014-0224,
CVE-2014-0198, CVE-2010-5298, CVE-2014-0066, CVE-2014-0063, CVE-2014-0064,
CVE-2014-0067, CVE-2014-0065, CVE-2014-0062, CVE-2014-0061, CVE-2014-006.
2013.2R7 or later releases resolve CVE-2014-0114, CVE-2014-0411.
2012.1R7 or later releases resolve CVE-2014-0411.
Workaround:
Use access lists or firewall filters to limit access to the JSA/STRM device
only from trusted hosts.
Implementation:
How to obtain fixed software:
JSA and STRM Software Releases are available at
http://www.juniper.net/support/downloads/.
Related Links:
KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin
Publication Process
KB16765: In which releases are vulnerabilities fixed?
KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories
Report a Security Vulnerability - How to Contact the Juniper Networks
Security Incident Response Team
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Risk Level: High
Risk Assessment: Apache Struts vulnerability CVE-2014-0114 has the highest
CVSS v2 base score of 7.5 in this advisory.
Acknowledgements:
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBU+xBzhLndAQH1ShLAQIYlg//d9dMZxzoVgpNxlck4u9VO2Ax20H4tK5G
stnVO6wzgTa6aYZMNj1riNKV3o19tZbRTcr8q3+LmimhqYYPwSGVp75gLjYi9q7C
S5py/ueuYZ44gQ0rcC1Xz4AQV59nw0JLnwcDYoeOMmMhEIWRVFNA2g1S3sGbLgHz
IEGkwxG7fE5ZdEVDydEi6wg//kydF+5huv5DZVbxPyW9rGg8n0yfj3AxSAgKzdax
rNaOoqj8fmRHOivcNHz/bRIxoMj8/UHf4SfW5PECyT53C1p38jXRkRc/OZQAbFQI
PgF29xFQ3eHSr+zo8/Q64EZp2DGfcUON6QcoE/YByjoh+nejHq0rLBrJwoZ2JreP
4LyZS1HWK5KcNG8WQ/tUrc67zHNTFKyEYN4MVI5sV3khhbfVMhz2wbJkuoOSzh3p
yK/cdsxD5hOLYl/5dDQBfFD3K37kvYqfq9EebHsSJbt+5W+1uglQcI4IYgeEbTAQ
+/mHNUrYo1AVrg/zcUbltMGblqaMt4811jmHYv0X3v85lj6YL131eLzm7b7hIl2e
0cpSma7g/pmqhiGLIeMzVmEGnQyZyOiwcV60CySa2ZUdHH9eJU58Wee6IM8k47g9
dhoTUbsfs8nW1T8Szzk4W35sZyEqAyL2OQwrOl0Xm7Cqp9TbtH2E1DvFHD5XHrGq
e1+jbHRkUwA=
=S1mZ
-----END PGP SIGNATURE-----