Multiple products.

OpenSSL project has published a security advisory for several vulnerabilities resolved in the OpenSSL library on 19th Match 2015: CVE CVSS v2 base score Summary CVE-2015-0209 5.0 (AV:N/AC:M/Au:N/C:N/I:N/A:P) Denial of service due to Use-after-free vulnerability in the d2i_ECPrivateKey function. CVE-2015-0286 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) Denial of service while processing crafted X.509 certificate. CVE-2015-0287 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) Denial of service due to ASN.1 structure reuse. CVE-2015-0288 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) Denial of service (NULL pointer dereference and application crash) via an invalid certificate key. CVE-2015-0289 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) Denial of service (NULL pointer dereference and application crash) while processing arbitrary PKCS#7 data. CVE-2015-0292 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) Denial of service due to Integer underflow in the EVP_DecodeUpdate function. CVE-2015-0293 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) The SSLv2 implementation denial of service. In addition to the above this OpenSSL advisory lists CVE-2015-0291, CVE-2015-0290, CVE-2015-0207, CVE-2015-0208, CVE-2015-1787, and CVE-2015-0285 which only affect OpenSSL version 1.0.2 which is not utilized by any Juniper product. Hence these issues do not affect any Juniper product. Vulnerable Products: Junos OS is potentially affected by one or more of the vulnerabilities. CTPOS releases prior to 7.0R4 are potentially affected by one or more of the vulnerabilities. DDoS Secure is potentially affected by one or more of the vulnerabilities.. IDP is potentially affected by one or more of the vulnerabilities. Junos Space is potentially affected by one or more of the vulnerabilities. NSM is potentially affected by one or more of the vulnerabilities. Pulse Secure: please refer to TSB16661. SBR Carrier is potentially affected by one or more of the vulnerabilities. SRC Series is potentially affected by one or more of the vulnerabilities. ScreenOS is potentially affected by one or more of the vulnerabilities.STRM and JSA Series are affected by CVE-2015-0286, CVE-2015-0287 and CVE-2015-0289. vGW is potentially affected by one or more of the vulnerabilities. RingMaster Appliance is potentially affected by one or more of the vulnerabilities. Products not vulnerable:Smartpass does not use OpenSSL and is not vulnerable. RingMaster Software does not use OpenSSL and is not vulnerable. As new information becomes available on products that are not listed above, this document will be updated.

Standard security best current practices (control plane firewall filters, edge filtering, access lists, etc.) may protect against any remote malicious attacks.Junos OS: Since SSL is used for remote network configuration and management applications such as J-Web and SSL Service for JUNOScript (XNM-SSL), viable workarounds for this issue in Junos may include: Disabling J-Web. Disable SSL service for JUNOScript and only use Netconf, which makes use of SSH, to make configuration changes. Limit access to J-Web and XNM-SSL from only trusted networks. ScreenOS: A temporary workaround for the server side of ScreenOS you can disable the HTTPS web user interface and the WebAuth feature. If you disable the HTTPS user interface you would be required to do configuration management over command line (SSH). The command to disable SSL is the following: unset ssl enable

Information for how Juniper Networks uses CVSS can be found at KB 16446 “Common Vulnerability Scoring System (CVSS) and Juniper’s Security Advisories.”

Leave a Reply