Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.0154 2018-01 Security Bulletin: Junos Space: Multiple vulnerabilities resolved in 17.2R1 release 15 January 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Juniper Junos Space Publisher: Juniper Networks Operating System: Juniper Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Root Compromise -- Existing Account Denial of Service -- Remote/Unauthenticated Cross-site Request Forgery -- Remote with User Interaction Cross-site Scripting -- Remote with User Interaction Provide Misleading Information -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2018-0013 CVE-2018-0012 CVE-2018-0011 CVE-2017-1000112 CVE-2017-1000111 CVE-2017-15098 CVE-2017-14106 CVE-2017-12172 CVE-2017-9798 CVE-2017-9788 CVE-2017-7679 CVE-2017-7668 CVE-2017-5664 CVE-2017-5645 CVE-2017-3169 CVE-2017-3167 CVE-2016-8743 CVE-2016-8655 CVE-2016-2141 CVE-2015-7501 CVE-2015-7236 CVE-2015-5304 CVE-2015-5220 CVE-2015-5188 CVE-2015-5174 Reference: ASB-2017.0219 ASB-2017.0181 ASB-2017.0180 ASB-2017.0177 ASB-2017.0175 Original Bulletin: https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10838&actp=RSS - --------------------------BEGIN INCLUDED TEXT-------------------- 2018-01 Security Bulletin: Junos Space: Multiple vulnerabilities resolved in 17.2R1 release Categories: Network Management Article ID: JSA10838 Junos Space SIRT Advisory Last Updated: 12 Jan 2018 Version: 4.0 Product Affected: Junos Space releases prior to 17.2R1 Problem: Multiple vulnerabilities have been resolved in the Junos Space 17.2R1 release, including updates to third party software found within Junos Space. Important security issues resolved as a result of these upgrades include: CVE CVSS Summary 5.5 ( CVSS:3.0/ The tcp_disconnect function in net/ipv4/tcp.c in the AV:L/AC:L Linux kernel before 4.12 allows local users to cause CVE-2017-14106 /PR:L/ a denial of service (__tcp_select_window UI:N/S:U/ divide-by-zero error and system crash) by triggering C:N/I:N/ a disconnect within a certain tcp_recvmsg code path. A:H) Linux kernel: heap out-of-bounds in AF_PACKET sockets. This new issue is analogous to previously disclosed CVE-2016-8655. In both cases, a socket 7.8 ( option that changes socket state may race with CVSS:3.0/ safety checks in packet_set_ring. Previously with AV:L/AC:L PACKET_VERSION. This time with PACKET_RESERVE. The CVE-2017-1000111 /PR:L/ solution is similar: lock the socket for the update. UI:N/S:U/ This issue may be exploitable, we did not C:H/I:H/ investigate further. As this issue affects PF_PACKET A:H) sockets, it requires CAP_NET_RAW in the process namespace. But note that with user namespaces enabled, any process can create a namespace in which it has CAP_NET_RAW. Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch. When building a UFO packet with MSG_MORE __ip_append_data() calls ip_ufo_append_data() to append. However in between two send() calls, the append path can be switched 7.0 ( from UFO to non-UFO one, which leads to a memory CVSS:3.0/ corruption. In case UFO packet lengths exceeds MTU, AV:L/AC:H copy = maxfraglen - skb->len becomes negative on the CVE-2017-1000112 /PR:L/ non-UFO path and the branch to allocate new skb is UI:N/S:U/ taken. This triggers fragmentation and computation C:H/I:H/ of fraggap = skb_prev->len - maxfraglen. Fraggap can A:H) exceed MTU, causing copy = datalen - transhdrlen - fraggap to become negative. Subsequently skb_copy_and_csum_bits() writes out-of-bounds. A similar issue is present in IPv6 code. The bug was introduced in e89e9cf539a2 ("[IPv4/IPv6]: UFO Scatter-gather approach") on Oct 18 2005. Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data 9.8 ( Virtualization (JDV) 6.x and 5.x; Enterprise CVSS:3.0/ Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; AV:N/AC:L Fuse Service Works (FSW) 6.x; Operations Network CVE-2015-7501 /PR:N/ (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) UI:N/S:U/ 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS C:H/I:H/ 3.x; and Red Hat Subscription Asset Manager 1.3 A:H) allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library. Red Hat JBoss Enterprise Application Platform (EAP) 3.5 (AV:N before 6.4.5 does not properly authorize access to CVE-2015-5304 /AC:M/ shut down the server, which allows remote Au:S/C:N/ authenticated users with the Monitor, Deployer, or I:N/A:P) Auditor role to cause a denial of service via unspecified vectors. 9.8 ( JGroups before 4.0 does not require the proper CVSS:3.0/ headers for the ENCRYPT and AUTH protocols from AV:N/AC:L nodes joining the cluster, which allows remote CVE-2016-2141 /PR:N/ attackers to bypass security restrictions and send UI:N/S:U/ and receive messages within the cluster via C:H/I:H/ unspecified vectors. A:H) Directory traversal vulnerability in 4.3 ( RequestUtil.java in Apache Tomcat 6.x before 6.0.45, CVSS:3.0/ 7.x before 7.0.65, and 8.x before 8.0.27 allows AV:N/AC:L remote authenticated users to bypass intended CVE-2015-5174 /PR:L/ SecurityManager restrictions and list a parent UI:N/S:U/ directory via a /.. (slash dot dot) in a pathname C:L/I:N/ used by a web application in a getResource, A:N) getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory. 9.8 ( CVSS:3.0/ In Apache Log4j 2.x before 2.8.2, when using the TCP AV:N/AC:L socket server or UDP socket server to receive CVE-2017-5645 /PR:N/ serialized log events from another application, a UI:N/S:U/ specially crafted binary payload can be sent that, C:H/I:H/ when deserialized, can execute arbitrary code. A:H) The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. This means that the request is presented to the error page with the original HTTP method. If the error page is a static file, expected behaviour is to serve content of the file as if processing a GET request, regardless of 7.5 ( the actual HTTP method. The Default Servlet in CVSS:3.0/ Apache Tomcat 9.0.0.M1 to 9.0.0.M20, 8.5.0 to AV:N/AC:L 8.5.14, 8.0.0.RC1 to 8.0.43 and 7.0.0 to 7.0.77 did CVE-2017-5664 /PR:N/ not do this. Depending on the original request this UI:N/S:U/ could lead to unexpected and undesirable results for C:N/I:H/ static error pages including, if the DefaultServlet A:N) is configured to permit writes, the replacement or removal of the custom error page. Notes for other user provided error pages: (1) Unless explicitly coded otherwise, JSPs ignore the HTTP method. JSPs used as error pages must must ensure that they handle any error dispatch as a GET request, regardless of the actual method. (2) By default, the response generated by a Servlet does depend on the HTTP method. Custom Servlets used as error pages must ensure that they handle any error dispatch as a GET request, regardless of the actual method. Cross-site request forgery (CSRF) vulnerability in the Web Console (web-console) in Red Hat Enterprise 6.8 (AV:N Application Platform before 6.4.4 and WildFly CVE-2015-5188 /AC:M/ (formerly JBoss Application Server) before 2.0.0.CR9 Au:N/C:P/ allows remote attackers to hijack the authentication I:P/A:P) of administrators for requests that make arbitrary changes to an instance via vectors involving a file upload using a multipart/form-data submission. 5.0 (AV:N The Web Console in Red Hat Enterprise Application /AC:L/ Platform (EAP) before 6.4.4 and WildFly (formerly CVE-2015-5220 Au:N/C:N/ JBoss Application Server) allows remote attackers to I:N/A:P) cause a denial of service (memory consumption) via a large request header. 7.5 ( CVSS:3.0/ Use-after-free vulnerability in xprt_set_caller in AV:N/AC:L rpcb_svc_com.c in rpcbind 0.2.1 and earlier allows CVE-2015-7236 /PR:N/ remote attackers to cause a denial of service UI:N/S:U/ (daemon crash) via crafted packets, involving a C:N/I:N/ PMAP_CALLIT code. A:H) Apache HTTP Server, in all releases prior to 2.2.32 7.5 ( and 2.4.25, was liberal in the whitespace accepted CVSS:3.0/ from requests and sent in response lines and AV:N/AC:L headers. Accepting these different behaviors CVE-2016-8743 /PR:N/ represented a security concern when httpd UI:N/S:U/ participates in any chain of proxies or interacts C:N/I:H/ with back-end application servers, either through A:N) mod_proxy or using conventional CGI mechanisms, and may result in request smuggling, response splitting and cache pollution. 9.8 ( CVSS:3.0/ In Apache httpd 2.2.x before 2.2.33 and 2.4.x before AV:N/AC:L 2.4.26, use of the ap_get_basic_auth_pw() by CVE-2017-3167 /PR:N/ third-party modules outside of the authentication UI:N/S:U/ phase may lead to authentication requirements being C:H/I:H/ bypassed. A:H) 9.8 ( CVSS:3.0/ In Apache httpd 2.2.x before 2.2.33 and 2.4.x before AV:N/AC:L 2.4.26, mod_ssl may dereference a NULL pointer when CVE-2017-3169 /PR:N/ third-party modules call ap_hook_process_connection UI:N/S:U/ () during an HTTP request to an HTTPS port. C:H/I:H/ A:H) 9.8 ( The HTTP strict parsing changes added in Apache CVSS:3.0/ httpd 2.2.32 and 2.4.24 introduced a bug in token AV:N/AC:L list parsing, which allows ap_find_token() to search CVE-2017-7668 /PR:N/ past the end of its input string. By maliciously UI:N/S:U/ crafting a sequence of request headers, an attacker C:H/I:H/ may be able to cause a segmentation fault, or to A:H) force ap_find_token() to return an incorrect value. 9.8 ( CVSS:3.0/ In Apache httpd 2.2.x before 2.2.33 and 2.4.x before AV:N/AC:L 2.4.26, mod_mime can read one byte past the end of a CVE-2017-7679 /PR:N/ buffer when sending a malicious Content-Type UI:N/S:U/ response header. C:H/I:H/ A:H) In Apache httpd before 2.2.34 and 2.4.x before 9.1 ( 2.4.27, the value placeholder in [Proxy-] CVSS:3.0/ Authorization headers of type 'Digest' was not AV:N/AC:L initialized or reset before or between successive CVE-2017-9788 /PR:N/ key=value assignments by mod_auth_digest. Providing UI:N/S:U/ an initial key with no '=' assignment could reflect C:H/I:N/ the stale value of uninitialized pool memory used by A:H) the prior request, leading to leakage of potentially confidential information, and a segfault in other cases resulting in denial of service. Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf 7.5 ( has certain misconfigurations, aka Optionsbleed. CVSS:3.0/ This affects the Apache HTTP Server through 2.2.34 AV:N/AC:L and 2.4.x through 2.4.27. The attacker sends an CVE-2017-9798 /PR:N/ unauthenticated OPTIONS HTTP request when attempting UI:N/S:U/ to read secret data. This is a use-after-free issue C:H/I:N/ and thus secret data is not always sent, and the A:N) specific data depends on many factors including configuration. Exploitation with .htaccess can be blocked with a patch to the ap_limit_section function in server/core.c. 5.4 ( CVSS:3.0/ AV:N/AC:L Junos Space: Reflected XSS vulnerability in Junos CVE-2018-0011 /PR:L/ Space management interface UI:R/S:C/ C:L/I:L/ A:N) 7.8 ( CVSS:3.0/ AV:L/AC:L Junos Space: Local privilege escalation CVE-2018-0012 /PR:L/ vulnerability in Junos Space UI:N/S:U/ C:H/I:H/ A:H) 6.5 ( CVSS:3.0/ AV:N/AC:L CVE-2018-0013 /PR:L/ Junos Space: Local File Inclusion Vulnerability UI:N/S:U/ C:H/I:N/ A:N) PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, 9.5.x before 9.5.10, 9.4.x before 9.4.15, 9.3.x before 9.3.20, and 9.2.x before 9.2.24 runs under a non-root operating system account, and database 6.7 ( superusers have effective ability to run arbitrary CVSS:3.0/ code under that system account. PostgreSQL provides AV:L/AC:L a script for starting the database server during CVE-2017-12172 /PR:H/ system boot. Packages of PostgreSQL for many UI:N/S:U/ operating systems provide their own, C:H/I:H/ packager-authored startup implementations. Several A:H) implementations use a log file name that the database superuser can replace with a symbolic link. As root, they open(), chmod() and/or chown() this log file name. This often suffices for the database superuser to escalate to root privileges when root starts the server. 8.1 ( Invalid json_populate_recordset or CVSS:3.0/ jsonb_populate_recordset function calls in AV:N/AC:L PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, CVE-2017-15098 /PR:L/ 9.5.x before 9.5.10, 9.4.x before 9.4.15, and 9.3.x UI:N/S:U/ before 9.3.20 can crash the server or disclose a few C:H/I:N/ bytes of server memory. A:H) Juniper SIRT is not aware of any malicious exploitation of these vulnerabilities. Solution: The following software releases have been updated to resolve these specific issues: Junos Space 17.2R1, and all subsequent releases. These issues are being tracked as PRs 1322467, 1296620, 1304289, 1322015, 1259822, 1287134, 1296621 and 1320984 which are visible on the Customer Support website. Workaround: Use access lists or firewall filters to limit access to the device only from trusted hosts and administrators. Implementation: Software Releases, patches and updates are available at https://www.juniper.net /support/downloads/. Modification History: 2018-01-10: Initial publication 2018-01-12: Include CVE IDs related to PostgreSQL upgrade (PR 1320984) Related Links: KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin Publication Process KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team CVSS Score: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) Risk Level: Critical Risk Assessment: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." Acknowledgements: Juniper SIRT would like to acknowledge and thank the team at cyberhouse.ge for responsibly reporting CVE-2018-0013. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWlv1BIx+lLeg9Ub1AQg2Ng/+OvrssqJdo0ddMlPHm14+jydLTxFVG68i mMQoYOpbUF3KHCVnAUZR8h3+PI2S7pWC9mTYb5rPgNXlOI0RqA6mTd6WapFb98g6 fm1gmDXeDXMvDxLxeC7IrX9GxI5ZVBNE0EJC2aCi5XIcLU0cfssRwrFLLyJOeBnW opng+a27HNmTIpFThF0VWK0mhJ1cPjlix5mPW/AhBh0Dclda6p6ZsBCl3QvBZ3Gx jlxw63gAaOoExnsVjy788vj2vWAtm0zRGbrFuoMFOomF9shY3AJkpvWPAXaWs5Kq UDHUSfM3o3qbekpyljCrHuPDX+uNtKA3t7ZzaAeXFh0FH3UVFeMtJ6k9KJXWxuFx koKfZEgXIQPtEG0kx+YIFah6dnLlFPqjSII6TCgHNJxhZi02o15piNSf0Er33arE nYuxa1M7yREkGrcMhDPX9UZQ4U3c/ygrsGobylNX+2wwxR0ZFLOA/KghzGnJkSzQ i3mcCj14rTwcgoyAeOq0aStf0dvYWmv1b8yWsJx079Pfm3xGv/WCl4eJci1+F21I Qv8PBk0B/yPOHk8AWa96rf36Twkh5ySUOsYXQmYiIF9UoK6Ss5aCjDyC2hbMLiJV PKzZhOTpzVjsTFfugnjdyka9tDJwuxvr0vZauY99jtDcPAbti5+lfPb4wpc+NoBQ WIMZ6hc1OeE= =AY80 -----END PGP SIGNATURE-----