Juniper Vulnerabilities

JSA10638 – 2014-07 Security Bulletin: Junos: Denial of Service in TCP...

2014-07 Security Bulletin: Junos: Denial of Service in TCP packet processing (CVE-2004-0230) Product Affected:This issue can affect any product or platform running Junos OS. Problem:For an established TCP session, TCP input validation only ensures that sequence numbers are within the acceptable window prior to examining whether the SYN flag is set on the segment. If the SYN flag is set, the TCP stack drops the session and sends a RST segment to the other side. Given that the SYN only needs to fall within the window, an attacker who can guess an in-window sequence number, source and destination address and port numbers can exploit this vulnerability to reset any established TCP session.This issue only affects TCP sessions terminating on the router. Transit traffic and TCP Proxy services are unaffected by this vulnerability.Juniper SIRT is not aware of any malicious exploitation of this vulnerability.This issue has been assigned CVE-2004-0230. Solution:Junos now implements the TCP robustness improvements outlined in Section 4 of RFC 5961. Junos will send an ACK in response to any SYN or RST flag received, irrespective of the sequence number.The following software releases have been updated to resolve this specific issue: Junos OS 11.4R11, 12.1R10, 12.1X44-D35, 12.1X45-D25, 12.1X46-D20, 12.1X47-D10, 12.2R8, 12.3R6, 13.1R4, 13.2R4, 13.3R2, 14.1R1, and all subsequent releases (i.e. all releases built after 14.1R1).This issue is being tracked as PR 935125 and is visible on the Customer Support website.KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies. Workaround:Enable TCP authentication. Refer to Junos documentation for config options and examples.Enable IPSec.Enable the system to send ACKs for in-window RSTs and SYN packets on TCP connections via the 'set system internet-options tcp-reset-syn-acknowledge' hidden configuration command.Enable a stateful firewall to block SYN packets on existing sessions.In addition to the recommendations listed above, it is good security practice to limit the exploitable attack surface of critical infrastructure networking equipment. Use access lists or firewall filters to limit access to the router via TCP only from trusted, administrative networks or hosts. Implementation:How to obtain fixed software:Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request. Related Links: CVSS Score:CVSS Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) Risk Level:Medium Risk Assessment:Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." Acknowledgements: 

JSA10682 – 2015-07 Security Bulletin: Junos: Multiple vulnerabilities in J-Web error...

2015-07 Security Bulletin: Junos: Multiple vulnerabilities in J-Web error handling (CVE-2014-6447) Product Affected:This issue can affect any product or platform running Junos OS with J-Web enabled. Problem:Multiple vulnerabilities exist in J-Web error handling that may lead to cross site scripting (XSS) issues or crash the J-Web service. The cross site scripting vulnerability may allow a remote network based attacker to steal sensitive information such as session credentials from an administrative user or perform administrative actions through an administrative user's browser. This issue was discovered by an external security researcher. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. This issue has been assigned CVE-2014-6447. Solution:The following software releases have been updated to resolve these specific issues: Junos OS 12.1X44-D45, 12.1X46-D30, 12.1X47-D20, 12.3R8, 12.3X48-D10, 13.1R5, 13.2R6, 13.3R4, 14.1R3, 14.1X53-D10, 14.2R1, 15.1R1, and all subsequent releases. This issue is being tracked as PR 959990 and is visible on the Customer Support website. KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies. Workaround:Disable J-Web or to reduce the risks of exploitation due to this vulnerability limit J-Web access to only trusted hosts. Implementation:How to obtain fixed software: Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request. Modification History: 2015-07-08: Initial publication2015-07-14: Added 14.1X53-D10 to list of fixed releases. Related Links: CVSS Score:CVSSv2: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) Risk Level:Medium Risk Assessment:Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." Acknowledgements:The Juniper SIRT would like to acknowledge and thank Kyle Lovett for responsibly reporting this vulnerability.

JSA10616 – 2014-03 Security Bulletin: Junos Pulse Secure Access Service (SSL...

2014-03 Security Bulletin: Junos Pulse Secure Access Service (SSL VPN): Linux Network Connect client local user privilege escalation issue (CVE-2014-2292) Product Affected:This issue can affect all: SA700, SA2000, SA2500, SA4000, FIPS SA4000, SA4500, FIPS SA4500, SA6000, FIPS SA6000, SA6500, FIPS SA6500, MAG2600, MAG4610, MAG6610, and MAG6611. The affected software releases includes IVE OS 7.1, 7.3, 7.4, and 8.0. Problem:A privilege escalation issue has been found and corrected in the Linux Network Connect client. This issue could allow a non-root user to escalate their access to root privileges on a Network Connect end-user client system.Juniper SIRT is not aware of any malicious exploitation of these vulnerabilities.No other Juniper Networks products or platforms are affected by this issue.This issue has been assigned CVE-2014-2292. Solution:The issue is fixed in SA/MAG (IVE OS) releases: 8.0r2, 7.4r8, 7.3r10, and 7.1r17, and all subsequent releases.KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies. Workaround: There is no workaround for this issue. You must upgrade to a fixed version of the software for the fix. Implementation:  Related Links: CVSS Score:6.6 (AV:L/AC:M/Au:S/C:C/I:C/A:C) Risk Level:Medium Acknowledgements: Juniper Networks would like to thank two reporters for independently discovering this issue and bringing it to our attention: Jörg Scheinert from Verizon GCIS Vulnerability Management for the discovery and Thierry Zoller for analysis and coordination, and also Joep Vesseur.

JSA10669 – 2015-01 Security Bulletin: Junos: Multiple vulnerabilities in libxml2 library

Product Affected:This issue can affect any product or platform running Junos OS. Problem:Multiple vulnerabilities in Junos OS have been resolved by updating the libxml2 library. Libxml2 was upgraded from 2.7.6 to 2.9.1 which resolves the following vulnerabilities:CVECVSS v2 base scoreSummaryCVE-2011-19449.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)Denial of service or arbitrary code execution vulnerability.CVE-2012-51346.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)Denial of service or arbitrary code execution vulnerability.CVE-2012-08415.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)Denial of service vulnerability related to hash collisions.CVE-2013-28775.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)Denial of service related to documents that end abruptly.CVE-2013-03384.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)Denial of service vulnerability related to entity expansion.These issues can be potentially exploited through Junos OS services that make use of the libxml2 library such as CLI, J-Web, JUNOScript or NETCONF​ to cause a denial of service or code execution with elevated privileges on the device. Solution:The following software releases have been updated to resolve this specific issue: Junos OS 11.4R13, 12.1X44-D35, 12.1X44-D40, 12.1X45-D30, 12.1X46-D25, 12.1X47-D10, 12.2R9 12.3R7, 13.1R4-S2, 13.3R3, 14.1R2, 14.2R1 and all subsequent releases (i.e. all releases built after 11.4R13).This issue is being tracked as PR 984070 and is visible on the Customer Support website.KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies. Workaround:Use access lists or firewall filters to limit access to the router only from trusted hosts or users.Disabling J-WEB, JUNOScript, NETCONF and restricting Junos CLI access to trusted users can help in reducing risks associated with these issues. Implementation:How to obtain fixed software:Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request. Modification History: 2015-01-14: Initial publication. Related Links: CVSS Score:9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C) Risk Level:Critical Risk Assessment:Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." Acknowledgements: 

JSA10670 – 2015-01 Security Bulletin: Junos: Malformed BGP FlowSpec prefix triggers...

2015-01 Security Bulletin: Junos: Malformed BGP FlowSpec prefix triggers rpd crash (CVE-2014-6386) Product Affected:This issue can affect any product or platform running Junos OS with BGP FlowSpec enabled. Problem:Receipt of a malformed BGP FlowSpec prefix may cause the router to trigger an assert (program​​matic crash) when detecting a certain specification violation. Rather than simply flagging, logging, and/or dropping the packet, the routing process daemon (rpd) will crash and restart.​This issue was found during negative protocol testing and has not been seen in a production network.Juniper SIRT is not aware of any malicious exploitation of this vulnerability.No other Juniper Networks products or platforms are affected by this issue.​This issue has been assigned CVE-2014-6386. Solution:The program assert has been replaced with ​standard BGP error handling logic, allowing rpd to continue to function upon receipt of the malformed BGP FlowSpec prefix.​The following software releases have been updated to resolve this specific issue: Junos OS 11.4R8, 12.1X44-D35, 12.1X45-D25, 12.1X46-D20, 12.1X47-D10, 12.2R9, 12.3R2-S3, 12.3R3, 13.1R4, 13.2R1, and all subsequent releases.This issue is being tracked as PR 878438 and is visible on the Customer Support website.KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies. Workaround:Only configure the FlowSpec NLRI to a known trusted BGP peer. Using MD5 authentication is also a good security practice.In addition to the recommendations listed above, it is good security practice to limit the exploitable attack surface of critical infrastructure networking equipment. Use access lists or firewall filters to limit access to the router via FlowSpec only from trusted, administrative networks or hosts. Implementation:How to obtain fixed software:Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request. Modification History: 2015-01-14: Initial publication Related Links: CVSS Score:7.1 (AV:N/AC:M/Au:N/C:N/I:N/A:C) Risk Level:High Risk Assessment:Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." Acknowledgements: 

JSA10732 – 2016-04 Security Bulletin: ScreenOS: Malformed SSL/TLS packet causes Denial...

2016-04 Security Bulletin: ScreenOS: Malformed SSL/TLS packet causes Denial of Service (CVE-2016-1268)Product Affected:This issue affects any products and platforms running ScreenOS versions 6.3.0r19b and earlier releases. Problem:A specially crafted m...

JSA10706 – 2015-10 Security Bulletin: Junos: FTPS through SRX opens up...

2015-10 Security Bulletin: Junos: FTPS through SRX opens up wide range of data channel TCP ports (CVE-2015-5361) Product Affected:This issue can affect all SRX Series services gateways with the FTPS Application Layer Gateway (ALG) enabled with the ftps-extensions option. Problem:BackgroundFor regular, unencrypted FTP traffic, the FTP ALG can inspect the unencrypted control channel and open related sessions for the FTP data channel. These related sessions (gates) are specific to source and destination IPs and ports of client and server. The design intent of the ftps-extensions option (which is disabled by default) is to provide similar functionality when the SRX secures the FTP/FTPS client. As the control channel is encrypted, the FTP ALG cannot inspect the port specific information and will open a wider TCP data channel (gate) from client IP to server IP on all destination TCP ports. In FTP/FTPS client environments to an enterprise network or the Internet, this is the desired behavior as it allows firewall policy to be written to FTP/FTPS servers on well-known control ports without using a policy with destination IP ANY and destination port ANY.IssueThe ftps-extensions option is not intended or recommended where the SRX secures the FTPS server, as the wide data channel session (gate) will allow the FTPS client temporary access to all TCP ports on the FTPS server. The data session is associated to the control channel and will be closed when the control channel session closes. Depending on the configuration of the FTPS server, supporting load-balancer, and SRX inactivity-timeout values, the server/load-balancer and SRX may keep the control channel open for an extended period of time, allowing an FTPS client access for an equal duration.​Note that the ftps-extensions option is not enabled by default.This issue is assigned CVE-2015-5361.​​ Solution:The overall behavior of the FTP ALG with the ftps-extensions option is intended behavior and will not change. The key component to this advisory is increasing user awareness of the wide TCP data channel (gate) creation, allowing creation of any new sessions from client to server, and potential implications where the SRX protects the FTPS server and the server/load-balancer allows the control channel to remain open for an extended period.Investigation into the issue identified two issues applicable to environments where the SRX protects both FTPS clients and servers, as well as uses FTP and FTPS over the same TCP ports to different servers.​Due to the recent changes of OpenSSL, the FTP ALG without the ftps-extensions option may block FTPS commands over the FTP control channel. This is client and server specific, and was observed with FTPS clients that use recent versions of OpenSSL. This may result in security administrators enabling the ftps-extensions option with the intent of allowing the commands to pass, but inadvertently allowing wide gate creation. This was observed in a configuration with simultaneous FTPS client/server use, with use of the same ports for FTP and FTPS traffic. The ftps-extension option is not supported when the SRX performs a destination NAT of the FTPS server, as the ALG cannot inspect the control channel to modify the server’s IP address signaled to the client. In an environment of simultaneous FTP and FTPS server use with the ftps-extensions option enabled, the gate is created but is generally unusable by the FTPS client. However, an FTPS client with knowledge of the server’s real IP address, its NAT’d IP address, and routing reachability to the server’s real IP address may be able to use the wide gate to reach the FTPS server. The software releases listed below resolves these issues as follows:The FTP ALG without the ftps-extensions option will allow FTPS related commands to pass over the FTP control channel. As the ftps-extension option is not enabled, the wide TCP data channel is not created.If the FTPS server is NAT’d by the SRX (destination or static NAT), the wide TCP data channel is not created. The following software releases have been updated to resolve these specific issues: Junos OS 12.1X44-D55, 12.1X46-D40, 12.1X47-D25, 12.3X48-D15, 15.1X49-D10, and all subsequent releases.Juniper SIRT is not aware of any malicious exploitation of this vulnerability.No other Juniper Networks products or platforms are affected by this issue.This issue is being tracked as PR 1067419 and is visible on the Customer Support website.KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies.​​ Workaround:Do not enable the 'ftps-extensions' option if FTPS is not needed.​ The 'ftps-extensions' option is disabled by default.​ Implementation:How to obtain fixed software: Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request.Modification History: 2015-10-14: Initial publication Related Links: CVSS Score:6.1 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) Risk Level:Medium Risk Assessment:Information for how Juniper Networks uses CVSS can be found at KB16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories" Acknowledgements:

JSA10686 – 2015-07 Security Bulletin: Junos: mbuf exhaustion due to sessions...

2015-07 Security Bulletin: Junos: mbuf exhaustion due to sessions stuck in LAST_ACK state (CVE-2015-5358) Product Affected:This issue can affect any product or platform running Junos OS. Problem:When an active TCP connection transitions to LAST_ACK state and the daemon connected to the socket still has more data to send, the socket could get stuck in LAST_ACK state indefinitely, using up finite mbufs and connections. Triggering this condition repeatedly could lead to total mbuf exhaustion, requiring a reboot or switchover of the master RE to resolve.Exploitation of this issue requires establishment of a TCP connection to a listening port on the router. TCP ports protected by ingress and/or control plane firewall filters are not vulnerable to this issue. However, anti-spoofing mechanisms should be employed to protect against malicious attempts to bypass existing firewall filters. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. This issue has been assigned CVE-2015-5358. Solution:The following software releases have been updated to resolve this specific issue: Junos OS 12.1X44-D50, 12.1X46-D35, 12.1X47-D25, 12.3R9, 12.3X48-D15, 13.2R7, 13.2X51-D35, 13.2X52-D25, 13.3R6, 14.1R3-S2, 14.1R4, 14.1X53-D12, 14.1X53-D16, 14.1X55-D25, 14.2R2, 15.1R1, and all subsequent releases. This issue is being tracked as PR 1029758 and is visible on the Customer Support website. KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies. Workaround:Limit the exploitable attack surface of critical infrastructure networking equipment. Use access lists or firewall filters to limit access to the router via TCP only from trusted, administrative networks or hosts. Additionally, for BGP sessions, employ anti-spoofing mechanisms such as uRPF and TTL security mechanisms to protect against source address spoofing. Implementation:How to obtain fixed software: Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request. Modification History: 2015-07-08: Initial publication Related Links: CVSS Score:CVSSv2: 7.1 (AV:N/AC:M/Au:N/C:N/I:N/A:C) Risk Level:High Risk Assessment:Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." Acknowledgements: 

JSA10648 – 2014-09 Out of Cycle Security Bulletin: Multiple Products: Shell...

2014-09 Out of Cycle Security Bulletin: Multiple Products: Shell command injection vulnerability in Bash Product Affected:Junos Space and JA1500, JA2500 (Junos Space Appliance), STRM and JSA series, NSM Appliances (NSM3000 and NSMExpress) Problem:Bash or the Bourne again shell has vulnerabilities in the way it handles environment variables when it is invoked. Under some scenarios, network based remote attackers can inject shell script that can be executed on a system. This is also known as "ShellShock".These issues have been assigned CVE-2014-6271, CVE-2014-7169, CVE-2014-7186 and CVE-2014-7187. Products vulnerable to remote exploitation risks: Junos Space is vulnerable in all versions. JSA Series (STRM) devices are vulnerable in all versions. NSM Appliances (NSM3000 and NSMExpress) are vulnerable in all versions. Products with bash, but NOT affected by remote exploitation risks: Our current assessment shows there is no risk of remote code execution on these products even though the products include bash. Scenarios required for known remote exploitation vectors do not exist on these products. As a precaution, bash in these products will be upgraded. SSL VPN UAC CTPView QFabric DDOS Secure JWAS vGW SRC Junos Pulse Endpoint Profiler Products NOT affected: Junos OS is not vulnerable. ScreenOS is not vulnerable. JunosE is not vulnerable. ADC is not vulnerable. SRX-IDP is not vulnerable. ISG-IDP is not vulnerable. WX is not vulnerable. MFC is not vulnerable. Juniper is investigating our product portfolio for affected software that is not mentioned above. As new information becomes available this document will be updated. Modification History:Sep 25, 2014: Initial release.Sep 26, 2014: Provided solution for JSA/STRM series, updated status of NSM to be vulnerable, provided workaround for NSM, included statement on SRC series. Solution:JSA /STRM Series devices: Patch for CVE-2014-6271 is available for download from www.juniper.net/support/downloads/. This patch resolves the critical vulnerability CVE-2014-6271 for all versions of JSA and STRM software releases. A patch for other CVEs is pending. IDP Signatures: Juniper has released signatures to detect this issue. Sigpack 2423 contains an IDP signature called HTTP:CGI:BASH-CODE-INJECTION designed to detect CVE-2014-6271. We are currently investigating our product portfolio for affected software and will work to provide fixes for any software that is found to be vulnerable. This document will be updated with version information as product updates become available. Workaround:Workarounds for this issue inlcude: Use access lists or firewall filters to limit access to services such as HTTP, HTTPS, and SSH to only trusted hosts. Do not use the device as a DHCP client on untrusted networks. Limit shell access on any device to only trusted users. Workaround for NSM Appliances:Until NSM Appliance fixes are available, updated bash RPM bash-3.2-33.el5.1.i386.rpm or later version can be downloaded from http://mirror.centos.org/centos-5/5/updates/i386/RPMS/ and applied on the NSM Appliance. It is good security practice to limit the exploitable attack surface of critical infrastructure networking equipment irrespective of a product's exposure to this issue. Always Use access lists or firewall filters to limit access to the devices only from trusted, administrative networks or hosts. Implementation:JSA /STRM Series devices:Patch for CVE-2014-6271 is available for download from www.juniper.net/support/downloads/ under JSA or STRM series. Instructions to install the patch are included in the patch release notes. Related Links: CVSS Score:10 (AV:N/AC:L/Au:N/C:C/I:C/A:C) Risk Level:Critical Risk Assessment:Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." Acknowledgements:Juniper SIRT would like to acknowledge and thank Stephane Chazelas for discovering the issue and Florian Weimer for responsibly coordinating disclosure of vulnerability CVE-2014-6271.

JSA10623 – 2014-04 Out of Cycle Security Bulletin: Multiple products affected...

2014-04 Out of Cycle Security Bulletin: Multiple products affected by OpenSSL "Heartbleed" issue (CVE-2014-0160) Product Affected:Various products: Please see the list in the problem section Problem: The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information (such as private keys, username and passwords, or contents of encrypted traffic) from process memory via crafted packets that trigger a buffer over-read. This issue is also known as The Heartbleed Bug.Status of different OpenSSL versions:OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerableOpenSSL 1.0.1g is NOT vulnerableOpenSSL 1.0.0 branch is NOT vulnerableOpenSSL 0.9.8 branch is NOT vulnerableVulnerable ProductsJunos OS 13.3R1 (Fixed code is listed in the "Solution" section)SSL VPN (IVEOS) 7.4r1 and later, and SSL VPN (IVEOS) 8.0r1 and later (Fixed code is listed in the "Solution" section)UAC 4.4r1 and later, and UAC 5.0r1 and later (Fixed code is listed in the "Solution" section)Junos Pulse (Desktop) 5.0r1 and later, and Junos Pulse (Desktop) 4.0r5 and later (Fixed code is listed in the "Solution" section)Network Connect (windows only) version 7.4R5 to 7.4R9.1 & 8.0R1 to 8.0R3.1. (This client is only impacted when used in FIPS mode.) (Fixed code is listed in the "Solution" section)Junos Pulse (Mobile) on Android version 4.2R1 and higher. (Fixed code is listed in the "Solution" section)Junos Pulse (Mobile) on iOS version 4.2R1 and higher. (This client is only impacted when used in FIPS mode.) (Fixed code is listed in the "Solution" section)WebApp Secure (Fixed code is listed in the "Solution" section)Odyssey client 5.6r5 and later (Fixed code is listed in the "Solution" section)Products Not VulnerableJunos OS 13.2 and earlier is not vulnerableNon-FIPS version of Network Connect clients are not vulnerableSSL VPN (IVEOS) 7.3, 7.2, and 7.1 are not vulnerableSRX Series is not vulnerableJunos Space is not vulnerableNSM is not vulnerablePulse 4.0r4 and earlier is not vulnerableQFabric Director is not vulnerableCTPView is not vulnerablevGW/FireFly Host is not vulnerableFirefly Perimeter is not vulnerableScreenOS is not vulnerableUAC 4.3, 4.2, and 4.1 are not vulnerableJUNOSe is not vulnerableOdyssey client 5.6r4 and earlier are not vulnerableJunos Pulse (Mobile) on iOS (Non-FIPS Mode)WX-Series is not vulnerableJunos DDoS Secure is not vulnerableSTRM/JSA is not vulnerableMedia Flow Controller is not vulnerableSBR Carrier is not vulnerableSBR Enterprise is not vulnerableJunos Pulse Mobile Security Suite is not vulnerableSRC Series is not vulnerableJunos Pulse Endpoint Profiler is not vulnerableSmart Pass is not vulnerable Ring Master is not vulnerableADC is not vulnerableStand Alone IDP is not vulnerableCX-Series is not vulnerableWL-Series is not vulnerableJ-Series is not vulnerableProducts currently under investigationNo productsJuniper continues to investigate this issue and as new information becomes available this document will be updated.This issue has been assigned CVE-2014-0160. Solution:SSL VPN (IVEOS):Juniper Networks has released IVEOS 8.0R3.2 and 7.4R9.3. For more information surrounding this issue for this platform please see KB: http://kb.juniper.net/KB29004UAC:Juniper Networks has released UAC 5.0r3.2. For more information surrounding this issue for this platform please see KB: http://kb.juniper.net/KB29007Juniper Networks has released UAC 4.4r10. For more information surrounding this issue for this platform please see KB: http://kb.juniper.net/KB29007Odyssey client:See UAC section as the client update with the fix is pushed from the UAC server. Junos: Juniper Networks has released Junos OS 13.3R1.8 to resolve this issue.Customers are encouraged to upgrade to 13.3R1.8 from earlier versions of 13.3R1 to resolve this issue.Junos Pulse (Desktop):Juniper Networks has released Pulse Desktop 5.0R3.1 and Pulse Desktop 4.0R9.2. For more information surrounding this issue for this client please see KB: http://kb.juniper.net/KB29004Junos Pulse (Mobile):Juniper Networks has released Junos Pulse for Android version 5.0R3 (44997) which is now available for download on the Google Play Store.Juniper Networks has released Junos Pulse for Apple iOS version 5.0.3.44999 which is available for download from Apple App Store.WebApp Secure:Juniper has pushed a software update (5.1.3-30) to systems that will resolve this issue. Please initiate the upgrade to resolve this issue. Release NotesIDP Signatures:Juniper has released signatures to detect this issue. The signature released to address Heartbleed vulnerability has been added to a separate category. The signature has NOT been added to the "Recommended" predefined attack group. Please see the following link for more information about our signatures for this issue: http://forums.juniper.net/t5/Security-Mobility-Now/FAQ-Protecting-your-OpenSSL-Server-from-HeartBleed-using-IDP/ba-p/238256Sigpack 2362 released:https://signatures.juniper.net/restricted/sigupdates/nsm-updates/updates.xmlhttps://signatures.juniper.net/restricted/sigupdates/nsm-updates/2362.htmlSSL: OpenSSL TLS DTLS Heartbeat Information Disclosure:http://signatures.juniper.net/documentation/signatures/SSL%3AOPENSSL-TLS-DTLS-HEARTBEAT.htmlDI Signatures:At this point in time there is no plan to offer DI signatures for this issue. Note: This advisory will be updated as new information is made available. KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies. Workaround:Junos: Since SSL is used for remote network configuration and management applications such as J-Web and SSL Service for JUNOScript (XNM-SSL), viable workarounds for this issue in Junos may include: Disabling J-Web Disable SSL service for JUNOScript and only use Netconf, which makes use of SSH, to make configuration changes Limit access to J-Web and XNM-SSL from only trusted networks SSL VPN/UAC: Other than downgrading to an unaffected release, there are no workarounds for this issue. Implementation:  Related Links: CVSS Score:9.4 (AV:N/AC:L/Au:N/C:C/I:C/A:N) Risk Level:Critical Risk Assessment:We consider this to be a critical issue. The sensitive information potentially exposed by this issue can be leveraged to further compromise the system. Exploits are known to exist in the wild. Information for how Juniper Networks uses CVSS can be found at KB16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." Acknowledgements: 

JSA10653 – 2014-10 Security Bulletin: Junos: BGP UPDATE with crafted transitive...

This issue can affect any product or platform running Junos OS 9.1 and later releases with BGP configured and enabled. A BGP UPDATE containing a specifically crafted set of transitive attributes can cause corruption of memory ultimately leading to an RPD routing process crash and restart. The crash was only achieved through in-house routing protocol fuzz testing. This issue only affects routers supporting 4-byte AS numbers, introduced starting with Junos OS 9.1. Additionally, the router is only vulnerable if the BGP peer does not support 4-byte AS numbers.This issue was found during internal product security testing.Juniper SIRT is not aware of any malicious exploitation of this vulnerability.No other Juniper Networks products or platforms are affected by this issue.This issue has been assigned CVE-2014-3818.The following software releases have been updated to resolve this specific issue: Junos OS 11.4R11, 12.1R10, 12.1X44-D40, 12.1X46-D30, 12.1X47-D11, 12.1X47-D15, 12.1X48-D41, 12.1X48-D62, 12.2R8, 12.2X50-D70, 12.3R6, 13.1R4-S2, 13.1X49-D49, 13.1X50-D30, 13.2R4, 13.2X50-D20, 13.2X51-D25, 13.2X52-D15, 13.3R2, 14.1R1, and all subsequent releases.This issue is being tracked as PR 953037 and is visible on the Customer Support website.KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies.No known workaround exists for this issue. How to obtain fixed software:Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request. Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."