Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

             2018-01 Security Bulletin: Junos Space: Multiple
                vulnerabilities resolved in 17.2R1 release
                              15 January 2018


        AusCERT Security Bulletin Summary

Product:           Juniper Junos Space
Publisher:         Juniper Networks
Operating System:  Juniper
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated      
                   Root Compromise                 -- Existing Account            
                   Denial of Service               -- Remote/Unauthenticated      
                   Cross-site Request Forgery      -- Remote with User Interaction
                   Cross-site Scripting            -- Remote with User Interaction
                   Provide Misleading Information  -- Remote/Unauthenticated      
                   Access Confidential Data        -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-0013 CVE-2018-0012 CVE-2018-0011
                   CVE-2017-1000112 CVE-2017-1000111 CVE-2017-15098
                   CVE-2017-14106 CVE-2017-12172 CVE-2017-9798
                   CVE-2017-9788 CVE-2017-7679 CVE-2017-7668
                   CVE-2017-5664 CVE-2017-5645 CVE-2017-3169
                   CVE-2017-3167 CVE-2016-8743 CVE-2016-8655
                   CVE-2016-2141 CVE-2015-7501 CVE-2015-7236
                   CVE-2015-5304 CVE-2015-5220 CVE-2015-5188

Reference:         ASB-2017.0219

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

2018-01 Security Bulletin: Junos Space: Multiple vulnerabilities resolved in
17.2R1 release

Categories:    Network Management      Article ID:        JSA10838
               Junos Space
               SIRT Advisory           Last Updated:      12 Jan 2018

                                         Version:           4.0

Product Affected:
Junos Space releases prior to 17.2R1

Multiple vulnerabilities have been resolved in the Junos Space 17.2R1 release,
including updates to third party software found within Junos Space.

Important security issues resolved as a result of these upgrades include:

      CVE          CVSS                          Summary
                 5.5 (
                 CVSS:3.0/ The tcp_disconnect function in net/ipv4/tcp.c in the
                 AV:L/AC:L Linux kernel before 4.12 allows local users to cause
CVE-2017-14106   /PR:L/    a denial of service (__tcp_select_window
                 UI:N/S:U/ divide-by-zero error and system crash) by triggering
                 C:N/I:N/  a disconnect within a certain tcp_recvmsg code path.
                           Linux kernel: heap out-of-bounds in AF_PACKET
                           sockets. This new issue is analogous to previously
                           disclosed CVE-2016-8655. In both cases, a socket
                 7.8 (     option that changes socket state may race with
                 CVSS:3.0/ safety checks in packet_set_ring. Previously with
                 AV:L/AC:L PACKET_VERSION. This time with PACKET_RESERVE. The
CVE-2017-1000111 /PR:L/    solution is similar: lock the socket for the update.
                 UI:N/S:U/ This issue may be exploitable, we did not
                 C:H/I:H/  investigate further. As this issue affects PF_PACKET
                 A:H)      sockets, it requires CAP_NET_RAW in the process
                           namespace. But note that with user namespaces
                           enabled, any process can create a namespace in which
                           it has CAP_NET_RAW.
                           Linux kernel: Exploitable memory corruption due to
                           UFO to non-UFO path switch. When building a UFO
                           packet with MSG_MORE __ip_append_data() calls
                           ip_ufo_append_data() to append. However in between
                           two send() calls, the append path can be switched
                 7.0 (     from UFO to non-UFO one, which leads to a memory
                 CVSS:3.0/ corruption. In case UFO packet lengths exceeds MTU,
                 AV:L/AC:H copy = maxfraglen - skb->len becomes negative on the
CVE-2017-1000112 /PR:L/    non-UFO path and the branch to allocate new skb is
                 UI:N/S:U/ taken. This triggers fragmentation and computation
                 C:H/I:H/  of fraggap = skb_prev->len - maxfraglen. Fraggap can
                 A:H)      exceed MTU, causing copy = datalen - transhdrlen -
                           fraggap to become negative. Subsequently
                           skb_copy_and_csum_bits() writes out-of-bounds. A
                           similar issue is present in IPv6 code. The bug was
                           introduced in e89e9cf539a2 ("[IPv4/IPv6]: UFO
                           Scatter-gather approach") on Oct 18 2005.
                           Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS
                           6.x and 5.x; Data Grid (JDG) 6.x; Data
                 9.8 (     Virtualization (JDV) 6.x and 5.x; Enterprise
                 CVSS:3.0/ Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x;
                 AV:N/AC:L Fuse Service Works (FSW) 6.x; Operations Network
CVE-2015-7501    /PR:N/    (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P)
                 UI:N/S:U/ 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS
                 C:H/I:H/  3.x; and Red Hat Subscription Asset Manager 1.3
                 A:H)      allow remote attackers to execute arbitrary commands
                           via a crafted serialized Java object, related to the
                           Apache Commons Collections (ACC) library.
                           Red Hat JBoss Enterprise Application Platform (EAP)
                 3.5 (AV:N before 6.4.5 does not properly authorize access to
CVE-2015-5304    /AC:M/    shut down the server, which allows remote
                 Au:S/C:N/ authenticated users with the Monitor, Deployer, or
                 I:N/A:P)  Auditor role to cause a denial of service via
                           unspecified vectors.
                 9.8 (     JGroups before 4.0 does not require the proper
                 CVSS:3.0/ headers for the ENCRYPT and AUTH protocols from
                 AV:N/AC:L nodes joining the cluster, which allows remote
CVE-2016-2141    /PR:N/    attackers to bypass security restrictions and send
                 UI:N/S:U/ and receive messages within the cluster via
                 C:H/I:H/  unspecified vectors.
                           Directory traversal vulnerability in
                 4.3 (     RequestUtil.java in Apache Tomcat 6.x before 6.0.45,
                 CVSS:3.0/ 7.x before 7.0.65, and 8.x before 8.0.27 allows
                 AV:N/AC:L remote authenticated users to bypass intended
CVE-2015-5174    /PR:L/    SecurityManager restrictions and list a parent
                 UI:N/S:U/ directory via a /.. (slash dot dot) in a pathname
                 C:L/I:N/  used by a web application in a getResource,
                 A:N)      getResourceAsStream, or getResourcePaths call, as
                           demonstrated by the $CATALINA_BASE/webapps
                 9.8 (
                 CVSS:3.0/ In Apache Log4j 2.x before 2.8.2, when using the TCP
                 AV:N/AC:L socket server or UDP socket server to receive
CVE-2017-5645    /PR:N/    serialized log events from another application, a
                 UI:N/S:U/ specially crafted binary payload can be sent that,
                 C:H/I:H/  when deserialized, can execute arbitrary code.
                           The error page mechanism of the Java Servlet
                           Specification requires that, when an error occurs
                           and an error page is configured for the error that
                           occurred, the original request and response are
                           forwarded to the error page. This means that the
                           request is presented to the error page with the
                           original HTTP method. If the error page is a static
                           file, expected behaviour is to serve content of the
                           file as if processing a GET request, regardless of
                 7.5 (     the actual HTTP method. The Default Servlet in
                 CVSS:3.0/ Apache Tomcat 9.0.0.M1 to 9.0.0.M20, 8.5.0 to
                 AV:N/AC:L 8.5.14, 8.0.0.RC1 to 8.0.43 and 7.0.0 to 7.0.77 did
CVE-2017-5664    /PR:N/    not do this. Depending on the original request this
                 UI:N/S:U/ could lead to unexpected and undesirable results for
                 C:N/I:H/  static error pages including, if the DefaultServlet
                 A:N)      is configured to permit writes, the replacement or
                           removal of the custom error page. Notes for other
                           user provided error pages: (1) Unless explicitly
                           coded otherwise, JSPs ignore the HTTP method. JSPs
                           used as error pages must must ensure that they
                           handle any error dispatch as a GET request,
                           regardless of the actual method. (2) By default, the
                           response generated by a Servlet does depend on the
                           HTTP method. Custom Servlets used as error pages
                           must ensure that they handle any error dispatch as a
                           GET request, regardless of the actual method.
                           Cross-site request forgery (CSRF) vulnerability in
                           the Web Console (web-console) in Red Hat Enterprise
                 6.8 (AV:N Application Platform before 6.4.4 and WildFly
CVE-2015-5188    /AC:M/    (formerly JBoss Application Server) before 2.0.0.CR9
                 Au:N/C:P/ allows remote attackers to hijack the authentication
                 I:P/A:P)  of administrators for requests that make arbitrary
                           changes to an instance via vectors involving a file
                           upload using a multipart/form-data submission.
                 5.0 (AV:N The Web Console in Red Hat Enterprise Application
                 /AC:L/    Platform (EAP) before 6.4.4 and WildFly (formerly
CVE-2015-5220    Au:N/C:N/ JBoss Application Server) allows remote attackers to
                 I:N/A:P)  cause a denial of service (memory consumption) via a
                           large request header.
                 7.5 (
                 CVSS:3.0/ Use-after-free vulnerability in xprt_set_caller in
                 AV:N/AC:L rpcb_svc_com.c in rpcbind 0.2.1 and earlier allows
CVE-2015-7236    /PR:N/    remote attackers to cause a denial of service
                 UI:N/S:U/ (daemon crash) via crafted packets, involving a
                 C:N/I:N/  PMAP_CALLIT code.
                           Apache HTTP Server, in all releases prior to 2.2.32
                 7.5 (     and 2.4.25, was liberal in the whitespace accepted
                 CVSS:3.0/ from requests and sent in response lines and
                 AV:N/AC:L headers. Accepting these different behaviors
CVE-2016-8743    /PR:N/    represented a security concern when httpd
                 UI:N/S:U/ participates in any chain of proxies or interacts
                 C:N/I:H/  with back-end application servers, either through
                 A:N)      mod_proxy or using conventional CGI mechanisms, and
                           may result in request smuggling, response splitting
                           and cache pollution.
                 9.8 (
                 CVSS:3.0/ In Apache httpd 2.2.x before 2.2.33 and 2.4.x before
                 AV:N/AC:L 2.4.26, use of the ap_get_basic_auth_pw() by
CVE-2017-3167    /PR:N/    third-party modules outside of the authentication
                 UI:N/S:U/ phase may lead to authentication requirements being
                 C:H/I:H/  bypassed.
                 9.8 (
                 CVSS:3.0/ In Apache httpd 2.2.x before 2.2.33 and 2.4.x before
                 AV:N/AC:L 2.4.26, mod_ssl may dereference a NULL pointer when
CVE-2017-3169    /PR:N/    third-party modules call ap_hook_process_connection
                 UI:N/S:U/ () during an HTTP request to an HTTPS port.
                 9.8 (     The HTTP strict parsing changes added in Apache
                 CVSS:3.0/ httpd 2.2.32 and 2.4.24 introduced a bug in token
                 AV:N/AC:L list parsing, which allows ap_find_token() to search
CVE-2017-7668    /PR:N/    past the end of its input string. By maliciously
                 UI:N/S:U/ crafting a sequence of request headers, an attacker
                 C:H/I:H/  may be able to cause a segmentation fault, or to
                 A:H)      force ap_find_token() to return an incorrect value.
                 9.8 (
                 CVSS:3.0/ In Apache httpd 2.2.x before 2.2.33 and 2.4.x before
                 AV:N/AC:L 2.4.26, mod_mime can read one byte past the end of a
CVE-2017-7679    /PR:N/    buffer when sending a malicious Content-Type
                 UI:N/S:U/ response header.
                           In Apache httpd before 2.2.34 and 2.4.x before
                 9.1 (     2.4.27, the value placeholder in [Proxy-]
                 CVSS:3.0/ Authorization headers of type 'Digest' was not
                 AV:N/AC:L initialized or reset before or between successive
CVE-2017-9788    /PR:N/    key=value assignments by mod_auth_digest. Providing
                 UI:N/S:U/ an initial key with no '=' assignment could reflect
                 C:H/I:N/  the stale value of uninitialized pool memory used by
                 A:H)      the prior request, leading to leakage of potentially
                           confidential information, and a segfault in other
                           cases resulting in denial of service.
                           Apache httpd allows remote attackers to read secret
                           data from process memory if the Limit directive can
                           be set in a user's .htaccess file, or if httpd.conf
                 7.5 (     has certain misconfigurations, aka Optionsbleed.
                 CVSS:3.0/ This affects the Apache HTTP Server through 2.2.34
                 AV:N/AC:L and 2.4.x through 2.4.27. The attacker sends an
CVE-2017-9798    /PR:N/    unauthenticated OPTIONS HTTP request when attempting
                 UI:N/S:U/ to read secret data. This is a use-after-free issue
                 C:H/I:N/  and thus secret data is not always sent, and the
                 A:N)      specific data depends on many factors including
                           configuration. Exploitation with .htaccess can be
                           blocked with a patch to the ap_limit_section
                           function in server/core.c.
                 5.4 (
                 AV:N/AC:L Junos Space: Reflected XSS vulnerability in Junos
CVE-2018-0011    /PR:L/    Space management interface
                 7.8 (
                 AV:L/AC:L Junos Space: Local privilege escalation
CVE-2018-0012    /PR:L/    vulnerability in Junos Space
                 6.5 (
CVE-2018-0013    /PR:L/    Junos Space: Local File Inclusion Vulnerability
                           PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6,
                           9.5.x before 9.5.10, 9.4.x before 9.4.15, 9.3.x
                           before 9.3.20, and 9.2.x before 9.2.24 runs under a
                           non-root operating system account, and database
                 6.7 (     superusers have effective ability to run arbitrary
                 CVSS:3.0/ code under that system account. PostgreSQL provides
                 AV:L/AC:L a script for starting the database server during
CVE-2017-12172   /PR:H/    system boot. Packages of PostgreSQL for many
                 UI:N/S:U/ operating systems provide their own,
                 C:H/I:H/  packager-authored startup implementations. Several
                 A:H)      implementations use a log file name that the
                           database superuser can replace with a symbolic link.
                           As root, they open(), chmod() and/or chown() this
                           log file name. This often suffices for the database
                           superuser to escalate to root privileges when root
                           starts the server.
                 8.1 (     Invalid json_populate_recordset or
                 CVSS:3.0/ jsonb_populate_recordset function calls in
                 AV:N/AC:L PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6,
CVE-2017-15098   /PR:L/    9.5.x before 9.5.10, 9.4.x before 9.4.15, and 9.3.x
                 UI:N/S:U/ before 9.3.20 can crash the server or disclose a few
                 C:H/I:N/  bytes of server memory.

Juniper SIRT is not aware of any malicious exploitation of these


The following software releases have been updated to resolve these specific
issues: Junos Space 17.2R1, and all subsequent releases.

These issues are being tracked as PRs 1322467, 1296620, 1304289, 1322015,
1259822, 1287134, 1296621 and 1320984 which are visible on the Customer Support


Use access lists or firewall filters to limit access to the device only from
trusted hosts and administrators.

Software Releases, patches and updates are available at https://www.juniper.net

Modification History:

2018-01-10: Initial publication
2018-01-12: Include CVE IDs related to PostgreSQL upgrade (PR 1320984)

Related Links:

  KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin
    Publication Process

  KB16765: In which releases are vulnerabilities fixed?

  KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security

  Report a Vulnerability - How to Contact the Juniper Networks Security
    Incident Response Team

CVSS Score:
9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Risk Level:

Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common
Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."

Juniper SIRT would like to acknowledge and thank the team at cyberhouse.ge for
responsibly reporting CVE-2018-0013.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967