Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.2144 Junos Space: Multiple vulnerabilities resolved by third party software upgrades 13 November 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Junos Space JA1500 JA2500 Publisher: Juniper Networks Operating System: Linux variants Impact/Access: Access Privileged Data -- Remote/Unauthenticated Modify Arbitrary Files -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2014-0460 CVE-2014-0453 CVE-2014-0423 CVE-2014-0411 CVE-2013-5908 CVE-2012-2131 CVE-2012-2110 Reference: ASB-2014.0063 ASB-2014.0005 ESB-2014.2046 ESB-2014.1394 ESB-2014.1386 ASB-2012.0172 Original Bulletin: http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10659 - --------------------------BEGIN INCLUDED TEXT-------------------- 2014-11 Security Bulletin: Junos Space: Multiple vulnerabilities resolved by third party software upgrades PRODUCT AFFECTED: Junos Space and JA1500, JA2500 (Junos Space Appliance) with Junos Space 13.3 and earlier releases. PROBLEM: Junos Space release 14.1R1 addresses multiple vulnerabilities in prior releases with updated third party software components. The following is a list of software upgraded and vulnerabilities resolved: Oracle Java runtime 1.7.0 update_45 was upgraded to 1.7.0 update_51 which resolves: CVE CVSS v2 base score Summary CVE-2014-0460 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N) Vulnerability in JNDI CVE-2014-0453 4.0 (AV:N/AC:H/Au:N/C:P/I:P/A:N) Vulnerability in Java security component CVE-2014-0423 5.5 (AV:N/AC:L/Au:S/C:P/I:N/A:P) Vulnerability in Java Beans CVE-2014-0411 4.0 (AV:N/AC:H/Au:N/C:P/I:P/A:N) Vulnerability in JSSE OpenSSL CentOS package was upgraded to 0.9.8e-27.el5_10.1 which resolves: CVE CVSS v2 base score Summary CVE-2012-2110 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) OpenSSL: Buffer overflow vulnerability CVE-2012-2131 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) Buffer overflow vulnerability Oracle MySQL was upgraded from 5.5.34 to 5.5.36 which resolves: CVE CVSS v2 base score Summary CVE-2013-5908 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) Denial of service vulnerability in MySQL Error handling SOLUTION: These issues are fixed in Junos Space 14.1R1 and all subsequent releases. WORKAROUND: Use access lists or firewall filters to limit access to the Junos Space device only from trusted hosts. IMPLEMENTATION: Junos Space Releases are available at http://www.juniper.net/support/downloads/?p=space#sw. Note: If you are upgrading to 14.1 from previous releases please download and install the bash security update v2 patch (even if Bash Security Update was previously installed). Please see http://kb.juniper.net/JSA10648 MODIFICATION HISTORY: 2014-11-12: Initial publication. RELATED LINKS: KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin Publication Process KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories Report a Security Vulnerability - How to Contact the Juniper Networks Security Incident Response Team CVSS SCORE: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) RISK LEVEL: High RISK ASSESSMENT: OpenSSL vulnerabilities CVE-2012-2110 and CVE-2012-2131 have the highest CVSS v2 base score of 7.5 in this advisory. ACKNOWLEDGEMENTS: - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVGQqFxLndAQH1ShLAQLK+g//fvbGYMgMAjo4kbYdP0oOoFCjqCFX92c1 lY/A1g2g9g+tJwrxzRj82RkwD2R8GlY8zMdnhNYzxTAUzto/0IOfjBxR9Y37alne xts/CKwFLY6K+g+3AVAcGyGh83Y9gHFST2TICT0xpfx6UO/6ZtiFouvcUFOVCLjr JrzpjkHYYzZjxhdMWpQ8go8ZFQMFnrmKtMpGOFXDgDcaSqdsk3xj0tUEDXYJcgHG 9ydOC8+0Kpqvb2fx2AtE8/2XMkTEdimNjhGpc+bC8EyKftQGCTz37O8cJHRQEyyY DG0BA3PAe5o9Cmmpo7Q9qis2vie9mCTjm4BNJexFfXFHj86Hz1yowESrXUIJsLHa xCv8O1uz0bm81dnf9VlyOXi2YvZUzHPnAxrEJ/eorXmV9krULVZIkJUcI0t4c9A3 7tgzTWVBTY5ELpXfYbNpp3s+f+NnkdbJDHnllURxRJqAeJHP64vJpinQcI/3AXNL hTfNms2dfxZ6QyYDljRUxBgPLj9imsM2UXEdOsCUX77wU7TsvO/0XtRkp8f+Rk92 mNm5AnlCYPy7k3DgnJpI4zmihqcOkfYUFSQLGTLk879wcwS+Q8Wn/AHzMLbVOTvn PnTS/GBVABdAR/4gW3KKMH18v1uOmMcmBFB+4MtGnABP/XpDffuqse50QglFMp2n dKWPyhRRnII= =hgzT -----END PGP SIGNATURE-----