Protect yourself against future threats.
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2024.1299
On Demand: JSA Series: Multiple vulnerabilities resolved in Juniper Secure
Analytics in 7.5.0 UP7 IF05
29 February 2024
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Juniper Secure Analytics (JSA)
Publisher: Juniper Networks
Operating System: Juniper
Resolution: Patch/Upgrade
CVE Names: CVE-2023-4207 CVE-2023-4206 CVE-2023-43642
CVE-2023-3611 CVE-2023-5676 CVE-2022-43552
CVE-2022-40982 CVE-2023-44981 CVE-2023-3776
CVE-2023-37920 CVE-2023-20569 CVE-2023-32360
CVE-2023-20593 CVE-2023-4208
Original Bulletin:
https://supportportal.juniper.net/s/article/On-Demand-JSA-Series-Multiple-vulnerabilities-resolved-in-Juniper-Secure-Analytics-in-7-5-0-UP7-IF05
Comment: CVSS (Max): 9.8 CVE-2023-37920 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: Juniper Networks
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
Article ID: JSA77742
Product Affected: These issues affect Juniper Secure Analytics (JSA).
Severity Level: Critical
CVSS Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Problem:
Multiple vulnerabilities have been resolved in 7.5.0 UP7 IF05.
These issues affect Juniper Networks Juniper Secure Analytics:
o All versions prior to 7.5.0 UP7.
This issue was discovered during external security research.
+--------------+----------+---------------------------------------------------+
| CVE | CVSS | Summary |
+--------------+----------+---------------------------------------------------+
| | |A use after free vulnerability exists in curl |
| |5.9 ( |<7.87.0. Curl can be asked to *tunnel* virtually |
| |CVSS:3.1/ |all protocols it supports through an HTTP proxy. |
|CVE-2022-43552|AV:N/AC:H/|HTTP proxies can (and often do) deny such tunnel |
| |PR:N/UI:N/|operations. When getting denied to tunnel the |
| |S:U/C:N/ |specific protocols SMB or TELNET, curl would use a |
| |I:N/A:H ) |heap-allocated struct after it had been freed, in |
| | |its transfer shutdown code path. |
+--------------+----------+---------------------------------------------------+
| | |Authorization Bypass Through User-Controlled Key |
| | |vulnerability in Apache ZooKeeper. If SASL Quorum |
| | |Peer authentication is enabled in ZooKeeper |
| | |(quorum.auth.enableSasl=true), the authorization is|
| | |done by verifying that the instance part in SASL |
| | |authentication ID is listed in zoo.cfg server list.|
| |9.1 ( |The instance part in SASL auth ID is optional and |
| |CVSS:3.1/ |if it's missing, like 'eve@EXAMPLE.COM', the |
| |AV:N/AC:L/|authorization check will be skipped. As a result an|
|CVE-2023-44981|PR:N/UI:N/|arbitrary endpoint could join the cluster and begin|
| |S:U/C:H/ |propagating counterfeit changes to the leader, |
| |I:H/A:N ) |essentially giving it complete read-write access to|
| | |the data tree. Quorum Peer authentication is not |
| | |enabled by default. Users are recommended to |
| | |upgrade to version 3.9.1, 3.8.3, 3.7.2, which fixes|
| | |the issue. Alternately ensure the ensemble election|
| | |/quorum communication is protected by a firewall as|
| | |this will mitigate the issue. See the documentation|
| | |for more details on correct cluster administration.|
+--------------+----------+---------------------------------------------------+
| |5.9 ( |In Eclipse OpenJ9 before version 0.41.0, the JVM |
| |CVSS:3.1/ |can be forced into an infinite busy hang on a |
|CVE-2023-5676 |AV:N/AC:H/|spinlock or a segmentation fault if a shutdown |
| |PR:N/UI:N/|signal (SIGTERM, SIGINT or SIGHUP) is received |
| |S:U/C:N/ |before the JVM has finished initializing. |
| |I:N/A:H ) | |
+--------------+----------+---------------------------------------------------+
| | |snappy-java is a Java port of the snappy, a fast |
| | |C++ compresser/decompresser developed by Google. |
| | |The SnappyInputStream was found to be vulnerable to|
| |7.5 ( |Denial of Service (DoS) attacks when decompressing |
| |CVSS:3.1/ |data with a too large chunk size. Due to missing |
| |AV:N/AC:L/|upper bound check on chunk length, an unrecoverable|
|CVE-2023-43642|PR:N/UI:N/|fatal error can occur. All versions of snappy-java |
| |S:U/C:N/ |including the latest released version 1.1.10.3 are |
| |I:N/A:H ) |vulnerable to this issue. A fix has been introduced|
| | |in commit `9f8c3cf74` which will be included in the|
| | |1.1.10.4 release. Users are advised to upgrade. |
| | |Users unable to upgrade should only accept |
| | |compressed data from trusted sources. |
+--------------+----------+---------------------------------------------------+
| |5.5 ( |An authentication issue was addressed with improved|
| |CVSS:3.1/ |state management. This issue is fixed in macOS Big |
|CVE-2023-32360|AV:L/AC:L/|Sur 11.7.7, macOS Monterey 12.6.6, macOS Ventura |
| |PR:L/UI:N/|13.4. An unauthenticated user may be able to access|
| |S:U/C:H/ |recently printed documents. |
| |I:N/A:N ) | |
+--------------+----------+---------------------------------------------------+
| |6.5 ( |Information exposure through microarchitectural |
| |CVSS:3.1/ |state after transient execution in certain vector |
|CVE-2022-40982|AV:L/AC:L/|execution units for some Intel(R) Processors may |
| |PR:L/UI:N/|allow an authenticated user to potentially enable |
| |S:C/C:H/ |information disclosure via local access. |
| |I:N/A:N ) | |
+--------------+----------+---------------------------------------------------+
| | |An out-of-bounds write vulnerability in the Linux |
| |7.8 ( |kernel's net/sched: sch_qfq component can be |
| |CVSS:3.1/ |exploited to achieve local privilege escalation. |
|CVE-2023-3611 |AV:L/AC:L/|The qfq_change_agg() function in net/sched/ |
| |PR:L/UI:N/|sch_qfq.c allows an out-of-bounds write because |
| |S:U/C:H/ |lmax is updated according to packet sizes without |
| |I:H/A:H ) |bounds checks. We recommend upgrading past commit |
| | |3e337087c3b5805fe0b8a46ba622a962880b5d64. |
+--------------+----------+---------------------------------------------------+
| | |A use-after-free vulnerability in the Linux |
| | |kernel's net/sched: cls_fw component can be |
| | |exploited to achieve local privilege escalation. If|
| |7.8 ( |tcf_change_indev() fails, fw_set_parms() will |
| |CVSS:3.1/ |immediately return an error after incrementing or |
|CVE-2023-3776 |AV:L/AC:L/|decrementing the reference counter in |
| |PR:L/UI:N/|tcf_bind_filter(). If an attacker can control the |
| |S:U/C:H/ |reference counter and set it to zero, they can |
| |I:H/A:H ) |cause the reference to be freed, leading to a |
| | |use-after-free vulnerability. We recommend |
| | |upgrading past commit |
| | |0323bce598eea038714f941ce2b22541c46d488f. |
+--------------+----------+---------------------------------------------------+
| | |A use-after-free vulnerability in the Linux |
| | |kernel's net/sched: cls_route component can be |
| | |exploited to achieve local privilege escalation. |
| |7.8 ( |When route4_change() is called on an existing |
| |CVSS:3.1/ |filter, the whole tcf_result struct is always |
| |AV:L/AC:L/|copied into the new instance of the filter. This |
|CVE-2023-4206 |PR:L/UI:N/|causes a problem when updating a filter bound to a |
| |S:U/C:H/ |class, as tcf_unbind_filter() is always called on |
| |I:H/A:H ) |the old instance in the success path, decreasing |
| | |filter_cnt of the still referenced class and |
| | |allowing it to be deleted, leading to a |
| | |use-after-free. We recommend upgrading past commit |
| | |b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8. |
+--------------+----------+---------------------------------------------------+
| | |A use-after-free vulnerability in the Linux |
| | |kernel's net/sched: cls_fw component can be |
| | |exploited to achieve local privilege escalation. |
| |7.8 ( |When fw_change() is called on an existing filter, |
| |CVSS:3.1/ |the whole tcf_result struct is always copied into |
| |AV:L/AC:L/|the new instance of the filter. This causes a |
|CVE-2023-4207 |PR:L/UI:N/|problem when updating a filter bound to a class, as|
| |S:U/C:H/ |tcf_unbind_filter() is always called on the old |
| |I:H/A:H ) |instance in the success path, decreasing filter_cnt|
| | |of the still referenced class and allowing it to be|
| | |deleted, leading to a use-after-free. We recommend |
| | |upgrading past commit |
| | |76e42ae831991c828cffa8c37736ebfb831ad5ec. |
+--------------+----------+---------------------------------------------------+
| | |A use-after-free vulnerability in the Linux |
| | |kernel's net/sched: cls_u32 component can be |
| | |exploited to achieve local privilege escalation. |
| |7.8 ( |When u32_change() is called on an existing filter, |
| |CVSS:3.1/ |the whole tcf_result struct is always copied into |
| |AV:L/AC:L/|the new instance of the filter. This causes a |
|CVE-2023-4208 |PR:L/UI:N/|problem when updating a filter bound to a class, as|
| |S:U/C:H/ |tcf_unbind_filter() is always called on the old |
| |I:H/A:H ) |instance in the success path, decreasing filter_cnt|
| | |of the still referenced class and allowing it to be|
| | |deleted, leading to a use-after-free. We recommend |
| | |upgrading past commit |
| | |3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81. |
+--------------+----------+---------------------------------------------------+
| |5.5 ( | |
| |CVSS:3.1/ |An issue in "Zen 2" CPUs, under specific |
|CVE-2023-20593|AV:L/AC:L/|microarchitectural circumstances, may allow an |
| |PR:L/UI:N/|attacker to potentially access sensitive |
| |S:U/C:H/ |information. |
| |I:N/A:N ) | |
+--------------+----------+---------------------------------------------------+
| |4.7 ( |A side channel vulnerability on some of the AMD |
| |CVSS:3.1/ |CPUs may allow an attacker to influence the return |
|CVE-2023-20569|AV:L/AC:H/|address prediction. This may result in speculative |
| |PR:L/UI:N/|execution at an attacker-controlled?address, |
| |S:U/C:H/ |potentially leading to information disclosure. |
| |I:N/A:N ) | |
+--------------+----------+---------------------------------------------------+
| | |Certifi is a curated collection of Root |
| |9.8 ( |Certificates for validating the trustworthiness of |
| |CVSS:3.1/ |SSL certificates while verifying the identity of |
| |AV:N/AC:L/|TLS hosts. Certifi prior to version 2023.07.22 |
|CVE-2023-37920|PR:N/UI:N/|recognizes "e-Tugra" root certificates. e-Tugra's |
| |S:U/C:H/ |root certificates were subject to an investigation |
| |I:H/A:H ) |prompted by reporting of security issues in their |
| | |systems. Certifi 2023.07.22 removes root |
| | |certificates from "e-Tugra" from the root store. |
+--------------+----------+---------------------------------------------------+
Solution:
The following software releases have been updated to resolve these specific
issues: Juniper Secure Analytics in 7.5.0 UP7 IF05 and all subsequent releases.
Software updates are available for download at https://support.juniper.net/
support/downloads/
Workaround:
There are no known workarounds for this issue.
Modification History:
o 2024-02-28: Initial Publication.
Related Information:
o KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin
Publication Process
o KB16765: In which releases are vulnerabilities fixed?
o KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories
o Report a Security Vulnerability - How to Contact the Juniper Networks
Security Incident Response Team
o https://www.ibm.com/support/pages/node/7117884
Last Updated: 2024-02-29
Created: 2024-02-29
- --------------------------END INCLUDED TEXT----------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================