2014-11 Security Bulletin: Juniper Secure Analytics and Security Threat Response Manager: Multiple vulnerabilities
Product Affected:JSA series devices or virtual machines with JSA software releases: 2013.2, 2014.1, 2014.2 and STRM series devices or virtual machines with STRM software releases: 2012.1, 2013.1, 2013.2
Problem:STRM and JSA 2013.2 releases prior to 2013.2R9 and JSA 2014 releases prior to 2014.3R1 are affected by the following vulnerabilities: CVECVSS v2 base scoreSummaryCVE-2014-30629.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)A remote code execution vulnerability that would allow a remote attacker with high knowledge of the system and knowledge of the product operation to execute code with root level privileges.CVE-2014-48336.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)A vulnerability that would allow remote authenticated users to gain privileges via invalid input.CVE-2014-00755.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)Apache Tomcat integer overflow vulnerability.CVE-2014-00955.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)Denial of service (thread consumption) vulnerability in Apache Tomcat.CVE-2014-30915.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)Cross-site scripting (XSS) vulnerability.CVE-2014-00964.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)XML External Entity (XXE) issue in Apache Tomcat.CVE-2014-00994.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)Integer overflow vulnerability in Apache Tomcat.CVE-2014-01194.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)XML External Entity (XXE) issue in Apache Tomcat.CVE-2014-08374.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)Insufficient verification of X.509 certificates in autoupdate process while downloading updates, which may allow a man-in-the-middle type of attacker to manipulate traffic.CVE-2014-48254.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)Incorrect handling of secure connections when communicating to other applications, which allows man-in-the-middle type of attackers to discover clear text credentials or other sensitive information.CVE-2014-48274.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)Cross-site scripting (XSS) vulnerability.CVE-2014-48284.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)Clickjacking vulnerability.CVE-2014-48304.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)Missing HTTPOnly flag that mitigates the risk of client side script accessing sensitive cookies.
Solution:These issues are resolved in:
JSA 2014.3R1 or later releases.
JSA or STRM 2013.2R9 or later releases.
Workaround:There are no known workarounds that can help mitigate all of the above issues. Limiting access to the device from only trusted hosts would help mitigate or lessen the risks of exposure to some of the issues.
Implementation:JSA and STRM Software is available for download from http://www.juniper.net/support/downloads/. Modification History: 2014-11-12: Initial publication.
Related Links: CVSS Score:9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Risk Assessment:Vulnerability CVE-2014-3062 has the highest CVSS v2 base score of 9.3 in this advisory.