Juniper Networks this week released patches for more than 60 vulnerabilities in its Juniper Advanced Threat Prevention (ATP) appliance, Junos OS operating system, and Junos Space network management platform. Many of the security holes impact third-party components.
In Juniper ATP appliances, the company addressed 13 flaws, including persistent cross-site scripting (XSS), arbitrary command execution, hardcoded credentials, information disclosure, and unprotected credentials issues.
Three of the vulnerabilities fixed in ATP devices have been rated “critical,” including ones related to the existence of hardcoded credentials and the storage of Splunk credentials in a file that can be accessed by authenticated local users.
Another three flaws have been assigned a CVSS score between 7.0 and 8.9, which puts them in the “high” severity category. The list includes issues related to the insecure storage of keys used for critical operations in the WebUI interface, the logging of secret passphrase CLI inputs in clear text, and a remote command execution weakness in the XML-RPC server.
In the Junos OS operating system, which powers many of Juniper’s appliances, the company addressed eight vulnerabilities disclosed in the past three years in the libxml2 library, which is used for parsing XML documents. Many of these libxml2 flaws have been assigned “critical” and “high” severity ratings. They can be exploited for denial-of-service (DoS) attacks and other purposes.
Also in Junos OS, the company fixed two OpenSSL vulnerabilities patched by the OpenSSL Project last year.
Finally, Juniper patched nearly 40 vulnerabilities in Junos Space. Nine security holes – one rated “high” and the rest “medium” – have been resolved in version 18.3R1.
The rest were fixed in version 18.4R1, including one critical bug that can lead to privilege escalation and arbitrary code execution. A majority of the vulnerabilities addressed in this version have a high severity.
A majority of the Junos Space vulnerabilities impact third-party components and they have been disclosed in 2017 and 2018. The impacted components include QEMU, the Linux kernel (including SegmentSmack), Intel CPUs (LazyFP and L1TF vulnerabilities), the glibc library, procps-ng utilities, libvirt, GnuPG, Samba, BIND, the Web-Dorado Instagram Feed WD plugin, yum-utils tools, the GlusterFS network filesystem, and Mozilla NSS (Network Security Services) libraries.
In addition to the patches released this week, workarounds and mitigations are also available for some of the impacted products.
Related: Juniper Patches Serious Flaws in Junos OS
Related: Juniper Confirms Leaked Implants Target Its Products