Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.1386 2014-08 Security Bulletin: Juniper Secure Analytics (JSA)/Security Threat Response Manager (STRM): Multiple vulnerabilities resolved by third party software upgrades. 14 August 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Juniper Secure Analytics (JSA) Juniper Security Threat Response Manager (STRM) Publisher: Juniper Networks Operating System: Juniper Impact/Access: Access Privileged Data -- Remote/Unauthenticated Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Increased Privileges -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2014-0411 CVE-2014-0224 CVE-2014-0198 CVE-2014-0114 CVE-2014-0107 CVE-2014-0098 CVE-2014-0067 CVE-2014-0066 CVE-2014-0065 CVE-2014-0064 CVE-2014-0063 CVE-2014-0062 CVE-2014-0061 CVE-2014-0060 CVE-2014-0033 CVE-2014-006 CVE-2013-4590 CVE-2013-4322 CVE-2013-4286 CVE-2010-5298 Reference: ASB-2014.0092 ASB-2014.0083 ASB-2014.0079 ASB-2014.0077 ESB-2014.0247 ESB-2014.0220 ESB-2014.0102 ESB-2014.0065 ESB-2014.0058 Original Bulletin: http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10643 - --------------------------BEGIN INCLUDED TEXT-------------------- 2014-08 Security Bulletin: Juniper Secure Analytics (JSA)/Security Threat Response Manager (STRM): Multiple vulnerabilities resolved by third party software upgrades. Categories: STRM_2500_II STRM_500_II STRM_5000_II STRM Series STRM 500 STRM_2500 STRM_5000 JSA Series JSA1500 JSA3500 Security Advisories ID: JSA10643 Last Updated: 13 Aug 2014 Version: 2.0 Product Affected: JSA series devices or virtual machines with JSA software releases: 2013.2, 2014.1, 2014.2 and STRM series devices or virtual machines with STRM software releases: 2012.1, 2013.1, 2013.2 Problem: Multiple vulnerabilities in Juniper Secure Analytics (JSA) and Security Threat Response Manager (STRM) software have been resolved with updated third party software components. CVE-2014-0411 A TLS timing vulnerability in IBM Runtime Environment, Java Technology Edition, Version 6 and 7 affects STRM/JSA 2013.2 releases prior to 2013.2R7. This may allow remote attackers to obtain sensitive information about encryption keys via a timing discrepancy during the TLS/SSL handshake. STRM/JSA 2014.2 and later releases do not have this problem. CVE CVSS v2 base score Type of issue CVE-2014-0411 4.0 (AV:N/AC:H/Au:N/C:P/I:P/A:N) Java: encryption key disclosure via a timing discrepancy during the TLS/SSL handshake CVE-2014-0114 A ClassLoader manipulation vulnerability in Apache Struts affects STRM/JSA 2012.1 releases prior to 2012.1R7 and 2013.2 releases prior to 2013.2R8. This may allow a remote attacker to execute arbitrary code on the system. STRM/JSA 2014.2 and later releases do not have this problem. CVE-2014-0114 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) Apache Struts: ClassLoader manipulation vulnerability STRM/JSA 2013.2 releases prior to 2013.2R8 and 2014.2R2 are affected by the following Apache Tomcat and Apache Xalan-Java vulnerabilities: CVE-2013-4590 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) Apache Tomcat: XML External Entitee resolution vulnerability CVE-2013-4286 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N) Apache Tomcat: Improper validation of HTTP request headers CVE-2013-4322 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) Apache Tomcat: DoS while processing chunked transfer coding CVE-2014-0033 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) Apache Tomcat: session fixation vulnerability CVE-2014-0107 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) Apache Xalan-Java: improper Access restrictions vulnerability STRM 2012.1 releases prior to 2012.1R8 are affected by the following PostgreSQL vulnerabilities: CVE-2014-0060 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N) PostgreSQL: privilege escalation vulnerability CVE-2014-0061 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P) PostgreSQL: privilege escalation vulnerability CVE-2014-0062 4.9 (AV:N/AC:M/Au:S/C:P/I:P/A:N) PostgreSQL: race condition vulnerability CVE-2014-0063 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P) PostgreSQL: stack-based buffer overflow vulnerability CVE-2014-0064 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P) PostgreSQL: integer overflow vulnerability CVE-2014-0065 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P) PostgreSQL: buffer overflow vulnerability CVE-2014-0066 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P) PostgreSQL: a denial of service vulnerability CVE-2014-0067 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P) PostgreSQL: privilege escalation vulnerability STRM 2012.1 releases prior to 2012.1R8, STRM/JSA 2013.2 releases prior to 2013.2R8 and JSA 2014.2R2 are vulnerable to the following Apache and OpenSSL vulnerabilities: CVE-2014-0098 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) Apache HTTP Server: denial of service CVE-2014-0224 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) OpenSSL: ChangeCipherSpec injection CVE-2014-0198 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) OpenSSL: SSL_MODE_RELEASE_BUFFERS NULL pointer dereference denial of service CVE-2010-5298 4.0 (AV:N/AC:H/Au:N/C:N/I:P/A:P) OpenSSL: SSL_MODE_RELEASE_BUFFERS session injection or denial of service Solution: JSA 2012.1R8, 2013.2R8, 2014.2R3 or later releases completely resolve all the vulnerabilities mentioned above. Specifically: JSA 2013.2R8 and 2014.2R3 or later releases resolve CVE-2014-0098, CVE-2014-0224, CVE-2014-0198, CVE-2010-5298, CVE-2013-4286, CVE-2014-0033, CVE-2013-4322, CVE-2013-4590, CVE-2014-0107. JSA 2012.1R8 or later releases resolve CVE-2014-0098, CVE-2014-0224, CVE-2014-0198, CVE-2010-5298, CVE-2014-0066, CVE-2014-0063, CVE-2014-0064, CVE-2014-0067, CVE-2014-0065, CVE-2014-0062, CVE-2014-0061, CVE-2014-006. 2013.2R7 or later releases resolve CVE-2014-0114, CVE-2014-0411. 2012.1R7 or later releases resolve CVE-2014-0411. Workaround: Use access lists or firewall filters to limit access to the JSA/STRM device only from trusted hosts. Implementation: How to obtain fixed software: JSA and STRM Software Releases are available at http://www.juniper.net/support/downloads/. Related Links: KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin Publication Process KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories Report a Security Vulnerability - How to Contact the Juniper Networks Security Incident Response Team CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) Risk Level: High Risk Assessment: Apache Struts vulnerability CVE-2014-0114 has the highest CVSS v2 base score of 7.5 in this advisory. Acknowledgements: - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBU+xBzhLndAQH1ShLAQIYlg//d9dMZxzoVgpNxlck4u9VO2Ax20H4tK5G stnVO6wzgTa6aYZMNj1riNKV3o19tZbRTcr8q3+LmimhqYYPwSGVp75gLjYi9q7C S5py/ueuYZ44gQ0rcC1Xz4AQV59nw0JLnwcDYoeOMmMhEIWRVFNA2g1S3sGbLgHz IEGkwxG7fE5ZdEVDydEi6wg//kydF+5huv5DZVbxPyW9rGg8n0yfj3AxSAgKzdax rNaOoqj8fmRHOivcNHz/bRIxoMj8/UHf4SfW5PECyT53C1p38jXRkRc/OZQAbFQI PgF29xFQ3eHSr+zo8/Q64EZp2DGfcUON6QcoE/YByjoh+nejHq0rLBrJwoZ2JreP 4LyZS1HWK5KcNG8WQ/tUrc67zHNTFKyEYN4MVI5sV3khhbfVMhz2wbJkuoOSzh3p yK/cdsxD5hOLYl/5dDQBfFD3K37kvYqfq9EebHsSJbt+5W+1uglQcI4IYgeEbTAQ +/mHNUrYo1AVrg/zcUbltMGblqaMt4811jmHYv0X3v85lj6YL131eLzm7b7hIl2e 0cpSma7g/pmqhiGLIeMzVmEGnQyZyOiwcV60CySa2ZUdHH9eJU58Wee6IM8k47g9 dhoTUbsfs8nW1T8Szzk4W35sZyEqAyL2OQwrOl0Xm7Cqp9TbtH2E1DvFHD5XHrGq e1+jbHRkUwA= =S1mZ -----END PGP SIGNATURE-----