2014-11 Security Bulletin: Junos Space: Multiple vulnerabilities resolved by third party software upgrades
Product Affected:Junos Space and JA1500, JA2500 (Junos Space Appliance) with Junos Space 13.3 and earlier releases.
Problem:Junos Space release 14.1R1 addresses multiple vulnerabilities in prior releases with updated third party software components. The following is a list of software upgraded and vulnerabilities resolved: Oracle Java runtime 1.7.0 update_45 was upgraded to 1.7.0 update_51 which resolves: CVECVSS v2 base scoreSummary CVE-2014-04605.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)Vulnerability in JNDICVE-2014-04534.0 (AV:N/AC:H/Au:N/C:P/I:P/A:N)Vulnerability in Java security componentCVE-2014-04235.5 (AV:N/AC:L/Au:S/C:P/I:N/A:P)Vulnerability in Java BeansCVE-2014-04114.0 (AV:N/AC:H/Au:N/C:P/I:P/A:N)Vulnerability in JSSEOpenSSL CentOS package was upgraded to 0.9.8e-27.el5_10.1 which resolves: CVECVSS v2 base scoreSummary CVE-2012-21107.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)OpenSSL: Buffer overflow vulnerabilityCVE-2012-21317.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)Buffer overflow vulnerabilityOracle MySQL was upgraded from 5.5.34 to 5.5.36 which resolves: CVECVSS v2 base scoreSummary CVE-2013-59082.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)Denial of service vulnerability in MySQL Error handling
Solution:These issues are fixed in Junos Space 14.1R1 and all subsequent releases.
Workaround:Use access lists or firewall filters to limit access to the Junos Space device only from trusted hosts.
Implementation:Junos Space Releases are available at http://www.juniper.net/support/downloads/?p=space#sw. Note: If you are upgrading to 14.1 from previous releases please download and install the bash security update v2 patch (even if Bash Security Update was previously installed). Please see http://kb.juniper.net/JSA10648 Modification History: 2014-11-12: Initial publication.
Related Links: CVSS Score:7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Risk Assessment:OpenSSL vulnerabilities CVE-2012-2110 and CVE-2012-2131 have the highest CVSS v2 base score of 7.5 in this advisory.