This article is more than 1 year old
Junos OS CLI has a bad bug. So good luck applying its new patches
Gin palace has eight bug-killing shots for you to imbibe
Juniper user? Feeling smug because you didn't have to race to download the latest Cisco patch round? Sorry: Juniper has just emitted eight vulnerability patches of its own.
Let's start with this advisory, since it's rated critical.
The Junos Space network management system has a crop of vulnerabilities, some of which are remotely exploitable. Version 15.2R2 splats bugs including authentication bugs, badly-validated SSH keys, a cross-site request forgery vulnerability, command injection, cross-site scripting and XML injection.
The company's CTPView network management system is patched against a bunch of third-party vulnerabilities here.
The patches cover various Mozilla components, DHCP services, a Xen x86 emulator bug from last year, 2013's “Motochopper” bug, OpenSSL bugs and more.
The Junos OS command line interface has a privilege escalation vulnerability that means any authorised user can get “complete control” of a device running a vulnerable version.
CVE-2016-4922 affects a long list of Junos OS versions with patches here.
The Virtual MX Series (vMX) router software has a permissions slip-up.
Once again, its a local privilege escalation bug – but it's serious, because the unprivileged user can read the vMX or its packet forwarding engine vPFE images, and obtain private crypto keys.
The Junos OS J-Web interface has a remote exploit bug. An attacker can inject web scripts or HTML to steal credentials and get management access to a system. Turn it off or apply the patch.
The company's also taken the swatter to two IPv6 denial-of-service vulnerabilities, and updated its rolling OpenSSL advisory. ®