Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.2142 Juniper Secure Analytics and Security Threat Response Manager: Multiple vulnerabilities 13 November 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Juniper Secure Analytics (JSA) Juniper Security Threat Response Manager (STRM) Publisher: Juniper Networks Operating System: Juniper Impact/Access: Root Compromise -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Cross-site Scripting -- Remote with User Interaction Access Confidential Data -- Remote/Unauthenticated Provide Misleading Information -- Remote with User Interaction Unauthorised Access -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2014-4833 CVE-2014-4830 CVE-2014-4828 CVE-2014-4827 CVE-2014-4825 CVE-2014-3091 CVE-2014-3062 CVE-2014-0837 CVE-2014-0119 CVE-2014-0099 CVE-2014-0096 CVE-2014-0095 CVE-2014-0075 Reference: ASB-2014.0121 ASB-2014.0077 ESB-2014.1894 ESB-2014.1866 ESB-2014.1798 ESB-2014.1758 ESB-2014.1575 Original Bulletin: http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10657 - --------------------------BEGIN INCLUDED TEXT-------------------- 2014-11 Security Bulletin: Juniper Secure Analytics and Security Threat Response Manager: Multiple vulnerabilities Categories: STRM Series JSA Series SIRT Advisory Security Advisories ID: JSA10657 Last Updated: 11 Nov 2014 Version: 2.0 PRODUCT AFFECTED: JSA series devices or virtual machines with JSA software releases: 2013.2, 2014.1, 2014.2 and STRM series devices or virtual machines with STRM software releases: 2012.1, 2013.1, 2013.2 PROBLEM: STRM and JSA 2013.2 releases prior to 2013.2R9 and JSA 2014 releases prior to 2014.3R1 are affected by the following vulnerabilities: CVE CVSS v2 base score Summary CVE-2014-3062 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C) A remote code execution vulnerability that would allow a remote attacker with high knowledge of the system and knowledge of the product operation to execute code with root level privileges. CVE-2014-4833 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P) A vulnerability that would allow remote authenticated users to gain privileges via invalid input. CVE-2014-0075 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) Apache Tomcat integer overflow vulnerability. CVE-2014-0095 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) Denial of service (thread consumption) vulnerability in Apache Tomcat. CVE-2014-3091 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) Cross-site scripting (XSS) vulnerability. CVE-2014-0096 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) XML External Entity (XXE) issue in Apache Tomcat. CVE-2014-0099 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) Integer overflow vulnerabilityin Apache Tomcat. CVE-2014-0119 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) XML External Entity (XXE) issue in Apache Tomcat. CVE-2014-0837 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) Insufficient verification of X.509 certificates in autoupdate process while downloading updates, which may allow a man-in-the-middle type of attacker to manipulate traffic. CVE-2014-4825 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) Incorrect handling of secure connections when communicating to other applications, which allows man-in-the-middle type of attackers to discover clear text credentials or other sensitive information. CVE-2014-4827 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) Cross-site scripting (XSS) vulnerability. CVE-2014-4828 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) Clickjacking vulnerability. CVE-2014-4830 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) Missing HTTPOnly flag that mitigates the risk of client side script accessing sensitive cookies. SOLUTION: These issues are resolved in: JSA 2014.3R1 or later releases. JSA or STRM 2013.2R9 or later releases. WORKAROUND: There are no known workarounds that can help mitigate all of the above issues. Limiting access to the device from only trusted hosts would help mitigate or lessen the risks of exposure to some of the issues. IMPLEMENTATION: JSA and STRM Software is available for download from http://www.juniper.net/support/downloads/. MODIFICATION HISTORY: 2014-11-12: Initial publication. RELATED LINKS: KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin Publication Process KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories Report a Security Vulnerability - How to Contact the Juniper Networks Security Incident Response Team CVSS SCORE: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C) RISK LEVEL: Critical RISK ASSESSMENT: Vulnerability CVE-2014-3062 has the highest CVSS v2 base score of 9.3 in this advisory. ACKNOWLEDGEMENTS: - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVGQRGhLndAQH1ShLAQJrGRAAi1YYne674VEI/YTxJsC0yyy/Dpw+aliy YupyW/smkatTVml+TY9VCd1UB/N/OlMpTADEZOeD6hbkaxIaRz05vUk0nwS50L3s 4nGPRGsMoJZ2fH/rzpAH15BR0Gl9uoxwtvCnb9IIMo3UcNLXnD5AC4fNxa5/CYz4 3WCoKVpwC+3tDoSrdWq/e5KW6yIjqvlsfCHA4ILCEvL+q04Xup4GiKv75QJPZUWi rRFu6/Av3/FbQuU2XCOW/XU3dbPjqGsiClok1jgsAY+kWWho4aDyASfw8rQvmlgC YLAom9B/Yg14cZQSlDiR4S4/D1RBCiMP6v1SmFEinxNO4BMGQOmzc4ieWP9wo+I3 kXysy9I009uMuApcU8cb0+bbhBvSHZHb+1GNOWkFx6iALP4mmPS02yfKLJa2Az07 UHfncLNcZ8EQYaAuluNf1DYiJHaCWu1MOFfHEyuY3u0WwEz2Li0Pzou76R3yrqSB xhE9uVu+GbS6i8taTnKjP6OTpjSKD+CD9I8O8H6oIZ9kQn2KlGsEAD6jSMfVPUnn Sg0GV2aKno4PQTWyQp1EPiHTJ6LuyL+Lfj0qAHWsSCLQTp0KCuqKSnzFuTiOc9Vu dTkKzz6cA73pTX7r1p82FSg/kts58FzaD6jDQ45GaS14z3zLctiHRSH9MA7hh2s0 ZONxE739/Fk= =Dy2i -----END PGP SIGNATURE-----