Junos OS CLI has a bad bug. So good luck applying its new patches

Gin palace has eight bug-killing shots for you to imbibe

Juniper user? Feeling smug because you didn't have to race to download the latest Cisco patch round? Sorry: Juniper has just emitted eight vulnerability patches of its own.

Let's start with this advisory, since it's rated critical.

The Junos Space network management system has a crop of vulnerabilities, some of which are remotely exploitable. Version 15.2R2 splats bugs including authentication bugs, badly-validated SSH keys, a cross-site request forgery vulnerability, command injection, cross-site scripting and XML injection.

The company's CTPView network management system is patched against a bunch of third-party vulnerabilities here.

The patches cover various Mozilla components, DHCP services, a Xen x86 emulator bug from last year, 2013's “Motochopper” bug, OpenSSL bugs and more.

The Junos OS command line interface has a privilege escalation vulnerability that means any authorised user can get “complete control” of a device running a vulnerable version.

CVE-2016-4922 affects a long list of Junos OS versions with patches here.

The Virtual MX Series (vMX) router software has a permissions slip-up.

Once again, its a local privilege escalation bug – but it's serious, because the unprivileged user can read the vMX or its packet forwarding engine vPFE images, and obtain private crypto keys.

The Junos OS J-Web interface has a remote exploit bug. An attacker can inject web scripts or HTML to steal credentials and get management access to a system. Turn it off or apply the patch.

The company's also taken the swatter to two IPv6 denial-of-service vulnerabilities, and updated its rolling OpenSSL advisory. ®


Biting the hand that feeds IT © 1998–2017