Operating System:

[LINUX]

Published:

13 November 2014

Protect yourself against future threats.

//Service

Incident Management

Whether it is proactive or reactive services you're after, we will help you detect, interpret and respond to attacks from across the globe.

Read more
Resources > Security Bulletins > ESB-2014.2144 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.2144
          Junos Space: Multiple vulnerabilities resolved by third
                          party software upgrades
                             13 November 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Junos Space
                   JA1500
                   JA2500
Publisher:         Juniper Networks
Operating System:  Linux variants
Impact/Access:     Access Privileged Data -- Remote/Unauthenticated
                   Modify Arbitrary Files -- Remote/Unauthenticated
                   Denial of Service      -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-0460 CVE-2014-0453 CVE-2014-0423
                   CVE-2014-0411 CVE-2013-5908 CVE-2012-2131
                   CVE-2012-2110  

Reference:         ASB-2014.0063
                   ASB-2014.0005
                   ESB-2014.2046
                   ESB-2014.1394
                   ESB-2014.1386
                   ASB-2012.0172

Original Bulletin: 
   http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10659

- --------------------------BEGIN INCLUDED TEXT--------------------

2014-11 Security Bulletin: Junos Space: Multiple vulnerabilities resolved by 
third party software upgrades

PRODUCT AFFECTED:

Junos Space and JA1500, JA2500 (Junos Space Appliance) with Junos Space 13.3 
and earlier releases.

PROBLEM:

Junos Space release 14.1R1 addresses multiple vulnerabilities in prior 
releases with updated third party software components. The following is a list
of software upgraded and vulnerabilities resolved:

Oracle Java runtime 1.7.0 update_45 was upgraded to 1.7.0 update_51 which 
resolves:

CVE 			CVSS v2 base score 			Summary

CVE-2014-0460 		5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N) 	Vulnerability in JNDI

CVE-2014-0453 		4.0 (AV:N/AC:H/Au:N/C:P/I:P/A:N) 	Vulnerability in Java security
								component

CVE-2014-0423 		5.5 (AV:N/AC:L/Au:S/C:P/I:N/A:P) 	Vulnerability in Java Beans

CVE-2014-0411 		4.0 (AV:N/AC:H/Au:N/C:P/I:P/A:N) 	Vulnerability in JSSE

OpenSSL CentOS package was upgraded to 0.9.8e-27.el5_10.1 which resolves:

CVE 			CVSS v2 base score 			Summary

CVE-2012-2110 		7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 	OpenSSL: Buffer overflow 
								vulnerability

CVE-2012-2131 		7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 	Buffer overflow vulnerability

Oracle MySQL was upgraded from 5.5.34 to 5.5.36 which resolves:

CVE 			CVSS v2 base score 			Summary

CVE-2013-5908 		2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)	Denial of service vulnerability
								in MySQL Error handling

SOLUTION:

These issues are fixed in Junos Space 14.1R1 and all subsequent releases.

WORKAROUND:

Use access lists or firewall filters to limit access to the Junos Space device
only from trusted hosts.

IMPLEMENTATION:

Junos Space Releases are available at 
http://www.juniper.net/support/downloads/?p=space#sw.

Note: If you are upgrading to 14.1 from previous releases please download and
install the bash security update v2 patch (even if Bash Security Update was 
previously installed). Please see http://kb.juniper.net/JSA10648

MODIFICATION HISTORY:

2014-11-12: Initial publication.

RELATED LINKS:

KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin 
Publication Process

KB16765: In which releases are vulnerabilities fixed?

KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories

Report a Security Vulnerability - How to Contact the Juniper Networks Security
Incident Response Team

CVSS SCORE:

7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

RISK LEVEL:

High

RISK ASSESSMENT:

OpenSSL vulnerabilities CVE-2012-2110 and CVE-2012-2131 have the highest CVSS
v2 base score of 7.5 in this advisory.

ACKNOWLEDGEMENTS:

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVGQqFxLndAQH1ShLAQLK+g//fvbGYMgMAjo4kbYdP0oOoFCjqCFX92c1
lY/A1g2g9g+tJwrxzRj82RkwD2R8GlY8zMdnhNYzxTAUzto/0IOfjBxR9Y37alne
xts/CKwFLY6K+g+3AVAcGyGh83Y9gHFST2TICT0xpfx6UO/6ZtiFouvcUFOVCLjr
JrzpjkHYYzZjxhdMWpQ8go8ZFQMFnrmKtMpGOFXDgDcaSqdsk3xj0tUEDXYJcgHG
9ydOC8+0Kpqvb2fx2AtE8/2XMkTEdimNjhGpc+bC8EyKftQGCTz37O8cJHRQEyyY
DG0BA3PAe5o9Cmmpo7Q9qis2vie9mCTjm4BNJexFfXFHj86Hz1yowESrXUIJsLHa
xCv8O1uz0bm81dnf9VlyOXi2YvZUzHPnAxrEJ/eorXmV9krULVZIkJUcI0t4c9A3
7tgzTWVBTY5ELpXfYbNpp3s+f+NnkdbJDHnllURxRJqAeJHP64vJpinQcI/3AXNL
hTfNms2dfxZ6QyYDljRUxBgPLj9imsM2UXEdOsCUX77wU7TsvO/0XtRkp8f+Rk92
mNm5AnlCYPy7k3DgnJpI4zmihqcOkfYUFSQLGTLk879wcwS+Q8Wn/AHzMLbVOTvn
PnTS/GBVABdAR/4gW3KKMH18v1uOmMcmBFB+4MtGnABP/XpDffuqse50QglFMp2n
dKWPyhRRnII=
=hgzT
-----END PGP SIGNATURE-----