Protect yourself against future threats.
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2024.0712.2
2024-01 Security Bulletin: JSA Series: Multiple vulnerabilities resolved in
JSA Applications
29 February 2024
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: JSA Series
Publisher: Juniper Networks
Operating System: Juniper
Resolution: Patch/Upgrade
CVE Names: CVE-2023-31484 CVE-2021-4048 CVE-2023-46136
CVE-2023-37920 CVE-2023-1370 CVE-2023-35116
CVE-2021-23445 CVE-2023-34455 CVE-2023-34454
CVE-2023-34453 CVE-2023-43804 CVE-2023-33201
CVE-2023-2976 CVE-2022-25883 CVE-2023-43642
CVE-2023-38263 CVE-2023-38020 CVE-2023-38019
CVE-2023-45133 CVE-2021-31684
Original Bulletin:
https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-JSA-Series-Multiple-vulnerabilities-resolved-in-JSA-Applications
Comment: CVSS (Max): 9.1 CVE-2021-4048 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H)
CVSS Source: Juniper
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Revision History: February 29 2024: CVSS (Max) scored increase
February 1 2024: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
Article ID: JSA76718
Product Affected: These issues affect Juniper Secure Analytics (JSA)
Applications.
Severity Level: Critical
CVSS Score: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H)
Problem:
Multiple vulnerabilities have been resolved in Juniper Secure Analytics
optional applications.
These issues affect Juniper Networks Juniper Secure Analytics:
o Log Collector prior to version v1.8.4
o SOAR Plugin App prior to version 5.3.1
o Deployment Intelligence App prior to 3.0.12
o User Behavior Analytics Application add-on prior to 4.1.14
This issue was discovered during external security research.
+--------------+----------+---------------------------------------------------+
| CVE | CVSS | Summary |
+--------------+----------+---------------------------------------------------+
| | |jackson-databind through 2.15.2 allows attackers to|
| |4.7 ( |cause a denial of service or other unspecified |
| |CVSS:3.1/ |impact via a crafted object that uses cyclic |
|CVE-2023-35116|AV:L/AC:H/|dependencies. NOTE: the vendor's perspective is |
| |PR:L/UI:N/|that this is not a valid vulnerability report, |
| |S:U/C:N/ |because the steps of constructing a cyclic data |
| |I:N/A:H ) |structure and trying to serialize it cannot be |
| | |achieved by an external attacker. |
+--------------+----------+---------------------------------------------------+
| | |snappy-java is a fast compressor/decompressor for |
| | |Java. Due to unchecked multiplications, an integer |
| | |overflow may occur in versions prior to 1.1.10.1, |
| | |causing a fatal error. The function `shuffle(int[] |
| | |input)` in the file `BitShuffle.java` receives an |
| | |array of integers and applies a bit shuffle on it. |
| | |It does so by multiplying the length by 4 and |
| | |passing it to the natively compiled shuffle |
| | |function. Since the length is not tested, the |
| |7.5 ( |multiplication by four can cause an integer |
| |CVSS:3.1/ |overflow and become a smaller value than the true |
| |AV:N/AC:L/|size, or even zero or negative. In the case of a |
|CVE-2023-34453|PR:N/UI:N/|negative value, a |
| |S:U/C:N/ |`java.lang.NegativeArraySizeException` exception |
| |I:N/A:H ) |will raise, which can crash the program. In a case |
| | |of a value that is zero or too small, the code that|
| | |afterwards references the shuffled array will |
| | |assume a bigger size of the array, which might |
| | |cause exceptions such as |
| | |`java.lang.ArrayIndexOutOfBoundsException`. The |
| | |same issue exists also when using the `shuffle` |
| | |functions that receive a double, float, long and |
| | |short, each using a different multiplier that may |
| | |cause the same issue. Version 1.1.10.1 contains a |
| | |patch for this vulnerability. |
+--------------+----------+---------------------------------------------------+
| | |snappy-java is a fast compressor/decompressor for |
| | |Java. Due to use of an unchecked chunk length, an |
| | |unrecoverable fatal error can occur in versions |
| | |prior to 1.1.10.1. The code in the function |
| | |hasNextChunk in the fileSnappyInputStream.java |
| | |checks if a given stream has more chunks to read. |
| | |It does that by attempting to read 4 bytes. If it |
| | |wasn't possible to read the 4 bytes, the function |
| |7.5 ( |returns false. Otherwise, if 4 bytes were |
| |CVSS:3.1/ |available, the code treats them as the length of |
|CVE-2023-34455|AV:N/AC:L/|the next chunk. In the case that the `compressed` |
| |PR:N/UI:N/|variable is null, a byte array is allocated with |
| |S:U/C:N/ |the size given by the input data. Since the code |
| |I:N/A:H ) |doesn't test the legality of the `chunkSize` |
| | |variable, it is possible to pass a negative number |
| | |(such as 0xFFFFFFFF which is -1), which will cause |
| | |the code to raise a |
| | |`java.lang.NegativeArraySizeException` exception. A|
| | |worse case would happen when passing a huge |
| | |positive value (such as 0x7FFFFFFF), which would |
| | |raise the fatal `java.lang.OutOfMemoryError` error.|
| | |Version 1.1.10.1 contains a patch for this issue. |
+--------------+----------+---------------------------------------------------+
| | |snappy-java is a fast compressor/decompressor for |
| | |Java. Due to unchecked multiplications, an integer |
| | |overflow may occur in versions prior to 1.1.10.1, |
| | |causing an unrecoverable fatal error. The function |
| | |`compress(char[] input)` in the file `Snappy.java` |
| | |receives an array of characters and compresses it. |
| | |It does so by multiplying the length by 2 and |
| | |passing it to the rawCompress` function. Since the |
| | |length is not tested, the multiplication by two can|
| | |cause an integer overflow and become negative. The |
| | |rawCompress function then uses the received length |
| | |and passes it to the natively compiled |
| | |maxCompressedLength function, using the returned |
| | |value to allocate a byte array. Since the |
| |7.5 ( |maxCompressedLength function treats the length as |
| |CVSS:3.1/ |an unsigned integer, it doesn't care that it is |
|CVE-2023-34454|AV:N/AC:L/|negative, and it returns a valid value, which is |
| |PR:N/UI:N/|casted to a signed integer by the Java engine. If |
| |S:U/C:N/ |the result is negative, a |
| |I:N/A:H ) |`java.lang.NegativeArraySizeException` exception |
| | |will be raised while trying to allocate the array |
| | |`buf`. On the other side, if the result is |
| | |positive, the `buf` array will successfully be |
| | |allocated, but its size might be too small to use |
| | |for the compression, causing a fatal Access |
| | |Violation error. The same issue exists also when |
| | |using the `compress` functions that receive double,|
| | |float, int, long and short, each using a different |
| | |multiplier that may cause the same issue. The issue|
| | |most likely won't occur when using a byte array, |
| | |since creating a byte array of size 0x80000000 (or |
| | |any other negative value) is impossible in the |
| | |first place. Version 1.1.10.1 contains a patch for |
| | |this issue. |
+--------------+----------+---------------------------------------------------+
| | |snappy-java is a Java port of the snappy, a fast |
| | |C++ compresser/decompresser developed by Google. |
| | |The SnappyInputStream was found to be vulnerable to|
| |7.5 ( |Denial of Service (DoS) attacks when decompressing |
| |CVSS:3.1/ |data with a too large chunk size. Due to missing |
| |AV:N/AC:L/|upper bound check on chunk length, an unrecoverable|
|CVE-2023-43642|PR:N/UI:N/|fatal error can occur. All versions of snappy-java |
| |S:U/C:N/ |including the latest released version 1.1.10.3 are |
| |I:N/A:H ) |vulnerable to this issue. A fix has been introduced|
| | |in commit `9f8c3cf74` which will be included in the|
| | |1.1.10.4 release. Users are advised to upgrade. |
| | |Users unable to upgrade should only accept |
| | |compressed data from trusted sources. |
+--------------+----------+---------------------------------------------------+
| | |Use of Java's default temporary directory for file |
| | |creation in `FileBackedOutputStream` in Google |
| |7.1 ( |Guava versions 1.0 to 31.1 on Unix systems and |
| |CVSS:3.1/ |Android Ice Cream Sandwich allows other users and |
|CVE-2023-2976 |AV:L/AC:L/|apps on the machine with access to the default Java|
| |PR:L/UI:N/|temporary directory to be able to access the files |
| |S:U/C:H/ |created by the class. Even though the security |
| |I:H/A:N ) |vulnerability is fixed in version 32.0.0, we |
| | |recommend using version 32.0.1 as version 32.0.0 |
| | |breaks some functionality under Windows. |
+--------------+----------+---------------------------------------------------+
| | |Bouncy Castle For Java before 1.74 is affected by |
| |5.3 ( |an LDAP injection vulnerability. The vulnerability |
| |CVSS:3.1/ |only affects applications that use an LDAP |
| |AV:N/AC:L/|CertStore from Bouncy Castle to validate X.509 |
|CVE-2023-33201|PR:N/UI:N/|certificates. During the certificate validation |
| |S:U/C:L/ |process, Bouncy Castle inserts the certificate's |
| |I:N/A:N ) |Subject Name into an LDAP search filter without any|
| | |escaping, which leads to an LDAP injection |
| | |vulnerability. |
+--------------+----------+---------------------------------------------------+
| | |Werkzeug is a comprehensive WSGI web application |
| | |library. If an upload of a file that starts with CR|
| | |or LF and then is followed by megabytes of data |
| |7.5 ( |without these characters: all of these bytes are |
| |CVSS:3.1/ |appended chunk by chunk into internal bytearray and|
|CVE-2023-46136|AV:N/AC:L/|lookup for boundary is performed on growing buffer.|
| |PR:N/UI:N/|This allows an attacker to cause a denial of |
| |S:U/C:N/ |service by sending crafted multipart data to an |
| |I:N/A:H ) |endpoint that will parse it. The amount of CPU time|
| | |required can block worker processes from handling |
| | |legitimate requests. This vulnerability has been |
| | |patched in version 3.0.1. |
+--------------+----------+---------------------------------------------------+
| | |urllib3 is a user-friendly HTTP client library for |
| | |Python. urllib3 doesn't treat the `Cookie` HTTP |
| |8.1 ( |header special or provide any helpers for managing |
| |CVSS:3.1/ |cookies over HTTP, that is the responsibility of |
|CVE-2023-43804|AV:N/AC:L/|the user. However, it is possible for a user to |
| |PR:L/UI:N/|specify a `Cookie` header and unknowingly leak |
| |S:U/C:H/ |information via HTTP redirects to a different |
| |I:H/A:N ) |origin if that user doesn't disable redirects |
| | |explicitly. This issue has been patched in urllib3 |
| | |version 1.26.17 or 2.0.5. |
+--------------+----------+---------------------------------------------------+
| | |Certifi is a curated collection of Root |
| |9.8 ( |Certificates for validating the trustworthiness of |
| |CVSS:3.1/ |SSL certificates while verifying the identity of |
| |AV:N/AC:L/|TLS hosts. Certifi prior to version 2023.07.22 |
|CVE-2023-37920|PR:N/UI:N/|recognizes "e-Tugra" root certificates. e-Tugra's |
| |S:U/C:H/ |root certificates were subject to an investigation |
| |I:H/A:H ) |prompted by reporting of security issues in their |
| | |systems. Certifi 2023.07.22 removes root |
| | |certificates from "e-Tugra" from the root store. |
+--------------+----------+---------------------------------------------------+
| |7.5 ( | |
| |CVSS:3.1/ |Versions of the package semver before 7.5.2 are |
|CVE-2022-25883|AV:N/AC:L/|vulnerable to Regular Expression Denial of Service |
| |PR:N/UI:N/|(ReDoS) via the function new Range, when untrusted |
| |S:U/C:N/ |user data is provided as a range. |
| |I:N/A:H ) | |
+--------------+----------+---------------------------------------------------+
| | |Babel is a compiler for writingJavaScript. In |
| | |`@babel/traverse` prior to versions 7.23.2 and |
| | |8.0.0-alpha.4 and all versions of `babel-traverse`,|
| | |using Babel to compile code that was specifically |
| | |crafted by an attacker can lead to arbitrary code |
| | |execution during compilation, when using plugins |
| | |that rely on the `path.evaluate()`or |
| | |`path.evaluateTruthy()` internal Babel methods. |
| | |Known affected plugins are `@babel/ |
| | |plugin-transform-runtime`; `@babel/preset-env` when|
| | |using its `useBuiltIns` option; and any "polyfill |
| | |provider" plugin that depends on `@babel/ |
| | |helper-define-polyfill-provider`, such as |
| | |`babel-plugin-polyfill-corejs3`, |
| |8.8 ( |`babel-plugin-polyfill-corejs2`, |
| |CVSS:3.1/ |`babel-plugin-polyfill-es-shims`, |
|CVE-2023-45133|AV:L/AC:L/|`babel-plugin-polyfill-regenerator`. No other |
| |PR:L/UI:N/|plugins under the `@babel/` namespace are impacted,|
| |S:C/C:H/ |but third-party plugins might be. Users that only |
| |I:H/A:H ) |compile trusted code are not impacted. The |
| | |vulnerability has been fixed in `@babel/ |
| | |traverse@7.23.2` and `@babel/traverse@8.0.0-alpha.4|
| | |`. Those who cannot upgrade `@babel/traverse` and |
| | |are using one of the affected packages mentioned |
| | |above should upgrade them to their latest version |
| | |to avoid triggering the vulnerable code path in |
| | |affected `@babel/traverse` versions: `@babel/ |
| | |plugin-transform-runtime` v7.23.2, `@babel/ |
| | |preset-env` v7.23.2, `@babel/ |
| | |helper-define-polyfill-provider` v0.4.3, |
| | |`babel-plugin-polyfill-corejs2` v0.4.6, |
| | |`babel-plugin-polyfill-corejs3` v0.8.5, |
| | |`babel-plugin-polyfill-es-shims` v0.10.0, |
| | |`babel-plugin-polyfill-regenerator` v0.5.3. |
+--------------+----------+---------------------------------------------------+
| |8.1 ( | |
| |CVSS:3.1/ |CPAN.pm before 2.35 does not verify TLS |
|CVE-2023-31484|AV:N/AC:H/|certificates when downloading distributions over |
| |PR:N/UI:N/|HTTPS. |
| |S:U/C:H/ | |
| |I:H/A:H ) | |
+--------------+----------+---------------------------------------------------+
| | |[Json-smart](https://netplex.github.io/json-smart/)|
| | |is a performance focused, JSON processor lib. When |
| |7.5 ( |reaching a '[' or '{' character in the JSON input, |
| |CVSS:3.1/ |the code parses an array or an object respectively.|
|CVE-2023-1370 |AV:N/AC:L/|It was discovered that the code does not have any |
| |PR:N/UI:N/|limit to the nesting of such arrays or objects. |
| |S:U/C:N/ |Since the parsing of nested arrays and objects is |
| |I:N/A:H ) |done recursively, nesting too many of them can |
| | |cause a stack exhaustion (stack overflow) and crash|
| | |the software. |
+--------------+----------+---------------------------------------------------+
| |9.1 ( |An out-of-bounds read flaw was found in the CLARRV,|
| |CVSS:3.1/ |DLARRV, SLARRV, and ZLARRV functions in lapack |
| |AV:N/AC:L/|through version 3.10.0, as also used in OpenBLAS |
|CVE-2021-4048 |PR:N/UI:N/|before version 0.3.18. Specially crafted inputs |
| |S:U/C:H/ |passed to these functions could cause an |
| |I:N/A:H ) |application using lapack to crash or possibly |
| | |disclose portions of its memory. |
+--------------+----------+---------------------------------------------------+
| |6.1 ( | |
| |CVSS:3.1/ |This affects the package datatables.net before |
|CVE-2021-23445|AV:N/AC:L/|1.11.3. If an array is passed to the HTML escape |
| |PR:N/UI:R/|entities function it would not have its contents |
| |S:C/C:L/ |escaped. |
| |I:L/A:N ) | |
+--------------+----------+---------------------------------------------------+
| |7.5 ( | |
| |CVSS:3.1/ |A vulnerability was discovered in the indexOf |
|CVE-2021-31684|AV:N/AC:L/|function of JSONParserByteArray in JSON Smart |
| |PR:N/UI:N/|versions 1.3 and 2.4 which causes a denial of |
| |S:U/C:N/ |service (DOS) via a crafted web request. |
| |I:N/A:H ) | |
+--------------+----------+---------------------------------------------------+
| |8.1 |IBM SOAR QRadar Plugin App could allow a remote |
| |(CVSS:3.0/|attacker to traverse directories on the system. An |
|CVE-2023-38019|AV:N/AC:L/|attacker could send a specially crafted URL request|
| |PR:L/UI:N/|containing "dot dot" sequences (/../) to view |
| |S:U/C:H/ |arbitrary files on the system. |
| |I:H/A:N) | |
+--------------+----------+---------------------------------------------------+
| |4.3 | |
| |(CVSS:3.0/|IBM SOAR QRadar Plugin App could allow an |
|CVE-2023-38020|AV:N/AC:L/|authenticated user to manipulate output written to |
| |PR:L/UI:N/|log files. |
| |S:U/C:N/ | |
| |I:L/A:N) | |
+--------------+----------+---------------------------------------------------+
| |6.5 | |
| |((CVSS:3.0|IBM SOAR QRadar Plugin App could allow an |
|CVE-2023-38263|/AV:N/AC:L|authenticated user to perform unauthorized actions |
| |/PR:L/UI:N|due to improper access controls. |
| |/S:U/C:N/ | |
| |I:H/A:N) | |
+--------------+----------+---------------------------------------------------+
Solution:
The following software releases have been updated to resolve these specific
issues:
o Disconnected Log Collector v1.8.4 and all subsequent releases.
o SOAR Plugin App 5.3.1 and all subsequent releases.
o Intelligence app 3.0.12 and all subsequent releases.
o Behavior Analytics application add on 4.1.14 and all subsequent releases.
Software updates are available for download at https://support.juniper.net/
support/downloads/
Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of
Engineering (EOE) or End of Life (EOL).
Workaround:
There are no known workarounds for this issue.
Modification History:
o 2024-01-31: Initial Publication.
Related Information:
o KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin
Publication Process
o KB16765: In which releases are vulnerabilities fixed?
o KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories
o Report a Security Vulnerability - How to Contact the Juniper Networks
Security Incident Response Team
o https://www.ibm.com/support/pages/node/7110903?myns=swgother&mynp=OCSSBQAC&
mync=E&cm_sp=swgother-_-OCSSBQAC-_-E
o https://www.ibm.com/support/pages/node/7111679?myns=swgother&mynp=OCSSBQAC&
mync=E&cm_sp=swgother-_-OCSSBQAC-_-E
o https://www.ibm.com/support/pages/node/7111720?myns=swgother&mynp=OCSSBQAC&
mync=E&cm_sp=swgother-_-OCSSBQAC-_-E
o https://www.ibm.com/support/pages/node/7112498?myns=swgother&mynp=OCSSBQAC&
mync=E&cm_sp=swgother-_-OCSSBQAC-_-E
Last Updated: 2024-02-01
Created: 2024-02-01
- --------------------------END INCLUDED TEXT----------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================