Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2018.0154
2018-01 Security Bulletin: Junos Space: Multiple
vulnerabilities resolved in 17.2R1 release
15 January 2018
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Juniper Junos Space
Publisher: Juniper Networks
Operating System: Juniper
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Root Compromise -- Existing Account
Denial of Service -- Remote/Unauthenticated
Cross-site Request Forgery -- Remote with User Interaction
Cross-site Scripting -- Remote with User Interaction
Provide Misleading Information -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2018-0013 CVE-2018-0012 CVE-2018-0011
CVE-2017-1000112 CVE-2017-1000111 CVE-2017-15098
CVE-2017-14106 CVE-2017-12172 CVE-2017-9798
CVE-2017-9788 CVE-2017-7679 CVE-2017-7668
CVE-2017-5664 CVE-2017-5645 CVE-2017-3169
CVE-2017-3167 CVE-2016-8743 CVE-2016-8655
CVE-2016-2141 CVE-2015-7501 CVE-2015-7236
CVE-2015-5304 CVE-2015-5220 CVE-2015-5188
CVE-2015-5174
Reference: ASB-2017.0219
ASB-2017.0181
ASB-2017.0180
ASB-2017.0177
ASB-2017.0175
Original Bulletin:
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10838&actp=RSS
- --------------------------BEGIN INCLUDED TEXT--------------------
2018-01 Security Bulletin: Junos Space: Multiple vulnerabilities resolved in
17.2R1 release
Categories: Network Management Article ID: JSA10838
Junos Space
SIRT Advisory Last Updated: 12 Jan 2018
Version: 4.0
Product Affected:
Junos Space releases prior to 17.2R1
Problem:
Multiple vulnerabilities have been resolved in the Junos Space 17.2R1 release,
including updates to third party software found within Junos Space.
Important security issues resolved as a result of these upgrades include:
CVE CVSS Summary
5.5 (
CVSS:3.0/ The tcp_disconnect function in net/ipv4/tcp.c in the
AV:L/AC:L Linux kernel before 4.12 allows local users to cause
CVE-2017-14106 /PR:L/ a denial of service (__tcp_select_window
UI:N/S:U/ divide-by-zero error and system crash) by triggering
C:N/I:N/ a disconnect within a certain tcp_recvmsg code path.
A:H)
Linux kernel: heap out-of-bounds in AF_PACKET
sockets. This new issue is analogous to previously
disclosed CVE-2016-8655. In both cases, a socket
7.8 ( option that changes socket state may race with
CVSS:3.0/ safety checks in packet_set_ring. Previously with
AV:L/AC:L PACKET_VERSION. This time with PACKET_RESERVE. The
CVE-2017-1000111 /PR:L/ solution is similar: lock the socket for the update.
UI:N/S:U/ This issue may be exploitable, we did not
C:H/I:H/ investigate further. As this issue affects PF_PACKET
A:H) sockets, it requires CAP_NET_RAW in the process
namespace. But note that with user namespaces
enabled, any process can create a namespace in which
it has CAP_NET_RAW.
Linux kernel: Exploitable memory corruption due to
UFO to non-UFO path switch. When building a UFO
packet with MSG_MORE __ip_append_data() calls
ip_ufo_append_data() to append. However in between
two send() calls, the append path can be switched
7.0 ( from UFO to non-UFO one, which leads to a memory
CVSS:3.0/ corruption. In case UFO packet lengths exceeds MTU,
AV:L/AC:H copy = maxfraglen - skb->len becomes negative on the
CVE-2017-1000112 /PR:L/ non-UFO path and the branch to allocate new skb is
UI:N/S:U/ taken. This triggers fragmentation and computation
C:H/I:H/ of fraggap = skb_prev->len - maxfraglen. Fraggap can
A:H) exceed MTU, causing copy = datalen - transhdrlen -
fraggap to become negative. Subsequently
skb_copy_and_csum_bits() writes out-of-bounds. A
similar issue is present in IPv6 code. The bug was
introduced in e89e9cf539a2 ("[IPv4/IPv6]: UFO
Scatter-gather approach") on Oct 18 2005.
Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS
6.x and 5.x; Data Grid (JDG) 6.x; Data
9.8 ( Virtualization (JDV) 6.x and 5.x; Enterprise
CVSS:3.0/ Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x;
AV:N/AC:L Fuse Service Works (FSW) 6.x; Operations Network
CVE-2015-7501 /PR:N/ (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P)
UI:N/S:U/ 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS
C:H/I:H/ 3.x; and Red Hat Subscription Asset Manager 1.3
A:H) allow remote attackers to execute arbitrary commands
via a crafted serialized Java object, related to the
Apache Commons Collections (ACC) library.
Red Hat JBoss Enterprise Application Platform (EAP)
3.5 (AV:N before 6.4.5 does not properly authorize access to
CVE-2015-5304 /AC:M/ shut down the server, which allows remote
Au:S/C:N/ authenticated users with the Monitor, Deployer, or
I:N/A:P) Auditor role to cause a denial of service via
unspecified vectors.
9.8 ( JGroups before 4.0 does not require the proper
CVSS:3.0/ headers for the ENCRYPT and AUTH protocols from
AV:N/AC:L nodes joining the cluster, which allows remote
CVE-2016-2141 /PR:N/ attackers to bypass security restrictions and send
UI:N/S:U/ and receive messages within the cluster via
C:H/I:H/ unspecified vectors.
A:H)
Directory traversal vulnerability in
4.3 ( RequestUtil.java in Apache Tomcat 6.x before 6.0.45,
CVSS:3.0/ 7.x before 7.0.65, and 8.x before 8.0.27 allows
AV:N/AC:L remote authenticated users to bypass intended
CVE-2015-5174 /PR:L/ SecurityManager restrictions and list a parent
UI:N/S:U/ directory via a /.. (slash dot dot) in a pathname
C:L/I:N/ used by a web application in a getResource,
A:N) getResourceAsStream, or getResourcePaths call, as
demonstrated by the $CATALINA_BASE/webapps
directory.
9.8 (
CVSS:3.0/ In Apache Log4j 2.x before 2.8.2, when using the TCP
AV:N/AC:L socket server or UDP socket server to receive
CVE-2017-5645 /PR:N/ serialized log events from another application, a
UI:N/S:U/ specially crafted binary payload can be sent that,
C:H/I:H/ when deserialized, can execute arbitrary code.
A:H)
The error page mechanism of the Java Servlet
Specification requires that, when an error occurs
and an error page is configured for the error that
occurred, the original request and response are
forwarded to the error page. This means that the
request is presented to the error page with the
original HTTP method. If the error page is a static
file, expected behaviour is to serve content of the
file as if processing a GET request, regardless of
7.5 ( the actual HTTP method. The Default Servlet in
CVSS:3.0/ Apache Tomcat 9.0.0.M1 to 9.0.0.M20, 8.5.0 to
AV:N/AC:L 8.5.14, 8.0.0.RC1 to 8.0.43 and 7.0.0 to 7.0.77 did
CVE-2017-5664 /PR:N/ not do this. Depending on the original request this
UI:N/S:U/ could lead to unexpected and undesirable results for
C:N/I:H/ static error pages including, if the DefaultServlet
A:N) is configured to permit writes, the replacement or
removal of the custom error page. Notes for other
user provided error pages: (1) Unless explicitly
coded otherwise, JSPs ignore the HTTP method. JSPs
used as error pages must must ensure that they
handle any error dispatch as a GET request,
regardless of the actual method. (2) By default, the
response generated by a Servlet does depend on the
HTTP method. Custom Servlets used as error pages
must ensure that they handle any error dispatch as a
GET request, regardless of the actual method.
Cross-site request forgery (CSRF) vulnerability in
the Web Console (web-console) in Red Hat Enterprise
6.8 (AV:N Application Platform before 6.4.4 and WildFly
CVE-2015-5188 /AC:M/ (formerly JBoss Application Server) before 2.0.0.CR9
Au:N/C:P/ allows remote attackers to hijack the authentication
I:P/A:P) of administrators for requests that make arbitrary
changes to an instance via vectors involving a file
upload using a multipart/form-data submission.
5.0 (AV:N The Web Console in Red Hat Enterprise Application
/AC:L/ Platform (EAP) before 6.4.4 and WildFly (formerly
CVE-2015-5220 Au:N/C:N/ JBoss Application Server) allows remote attackers to
I:N/A:P) cause a denial of service (memory consumption) via a
large request header.
7.5 (
CVSS:3.0/ Use-after-free vulnerability in xprt_set_caller in
AV:N/AC:L rpcb_svc_com.c in rpcbind 0.2.1 and earlier allows
CVE-2015-7236 /PR:N/ remote attackers to cause a denial of service
UI:N/S:U/ (daemon crash) via crafted packets, involving a
C:N/I:N/ PMAP_CALLIT code.
A:H)
Apache HTTP Server, in all releases prior to 2.2.32
7.5 ( and 2.4.25, was liberal in the whitespace accepted
CVSS:3.0/ from requests and sent in response lines and
AV:N/AC:L headers. Accepting these different behaviors
CVE-2016-8743 /PR:N/ represented a security concern when httpd
UI:N/S:U/ participates in any chain of proxies or interacts
C:N/I:H/ with back-end application servers, either through
A:N) mod_proxy or using conventional CGI mechanisms, and
may result in request smuggling, response splitting
and cache pollution.
9.8 (
CVSS:3.0/ In Apache httpd 2.2.x before 2.2.33 and 2.4.x before
AV:N/AC:L 2.4.26, use of the ap_get_basic_auth_pw() by
CVE-2017-3167 /PR:N/ third-party modules outside of the authentication
UI:N/S:U/ phase may lead to authentication requirements being
C:H/I:H/ bypassed.
A:H)
9.8 (
CVSS:3.0/ In Apache httpd 2.2.x before 2.2.33 and 2.4.x before
AV:N/AC:L 2.4.26, mod_ssl may dereference a NULL pointer when
CVE-2017-3169 /PR:N/ third-party modules call ap_hook_process_connection
UI:N/S:U/ () during an HTTP request to an HTTPS port.
C:H/I:H/
A:H)
9.8 ( The HTTP strict parsing changes added in Apache
CVSS:3.0/ httpd 2.2.32 and 2.4.24 introduced a bug in token
AV:N/AC:L list parsing, which allows ap_find_token() to search
CVE-2017-7668 /PR:N/ past the end of its input string. By maliciously
UI:N/S:U/ crafting a sequence of request headers, an attacker
C:H/I:H/ may be able to cause a segmentation fault, or to
A:H) force ap_find_token() to return an incorrect value.
9.8 (
CVSS:3.0/ In Apache httpd 2.2.x before 2.2.33 and 2.4.x before
AV:N/AC:L 2.4.26, mod_mime can read one byte past the end of a
CVE-2017-7679 /PR:N/ buffer when sending a malicious Content-Type
UI:N/S:U/ response header.
C:H/I:H/
A:H)
In Apache httpd before 2.2.34 and 2.4.x before
9.1 ( 2.4.27, the value placeholder in [Proxy-]
CVSS:3.0/ Authorization headers of type 'Digest' was not
AV:N/AC:L initialized or reset before or between successive
CVE-2017-9788 /PR:N/ key=value assignments by mod_auth_digest. Providing
UI:N/S:U/ an initial key with no '=' assignment could reflect
C:H/I:N/ the stale value of uninitialized pool memory used by
A:H) the prior request, leading to leakage of potentially
confidential information, and a segfault in other
cases resulting in denial of service.
Apache httpd allows remote attackers to read secret
data from process memory if the Limit directive can
be set in a user's .htaccess file, or if httpd.conf
7.5 ( has certain misconfigurations, aka Optionsbleed.
CVSS:3.0/ This affects the Apache HTTP Server through 2.2.34
AV:N/AC:L and 2.4.x through 2.4.27. The attacker sends an
CVE-2017-9798 /PR:N/ unauthenticated OPTIONS HTTP request when attempting
UI:N/S:U/ to read secret data. This is a use-after-free issue
C:H/I:N/ and thus secret data is not always sent, and the
A:N) specific data depends on many factors including
configuration. Exploitation with .htaccess can be
blocked with a patch to the ap_limit_section
function in server/core.c.
5.4 (
CVSS:3.0/
AV:N/AC:L Junos Space: Reflected XSS vulnerability in Junos
CVE-2018-0011 /PR:L/ Space management interface
UI:R/S:C/
C:L/I:L/
A:N)
7.8 (
CVSS:3.0/
AV:L/AC:L Junos Space: Local privilege escalation
CVE-2018-0012 /PR:L/ vulnerability in Junos Space
UI:N/S:U/
C:H/I:H/
A:H)
6.5 (
CVSS:3.0/
AV:N/AC:L
CVE-2018-0013 /PR:L/ Junos Space: Local File Inclusion Vulnerability
UI:N/S:U/
C:H/I:N/
A:N)
PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6,
9.5.x before 9.5.10, 9.4.x before 9.4.15, 9.3.x
before 9.3.20, and 9.2.x before 9.2.24 runs under a
non-root operating system account, and database
6.7 ( superusers have effective ability to run arbitrary
CVSS:3.0/ code under that system account. PostgreSQL provides
AV:L/AC:L a script for starting the database server during
CVE-2017-12172 /PR:H/ system boot. Packages of PostgreSQL for many
UI:N/S:U/ operating systems provide their own,
C:H/I:H/ packager-authored startup implementations. Several
A:H) implementations use a log file name that the
database superuser can replace with a symbolic link.
As root, they open(), chmod() and/or chown() this
log file name. This often suffices for the database
superuser to escalate to root privileges when root
starts the server.
8.1 ( Invalid json_populate_recordset or
CVSS:3.0/ jsonb_populate_recordset function calls in
AV:N/AC:L PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6,
CVE-2017-15098 /PR:L/ 9.5.x before 9.5.10, 9.4.x before 9.4.15, and 9.3.x
UI:N/S:U/ before 9.3.20 can crash the server or disclose a few
C:H/I:N/ bytes of server memory.
A:H)
Juniper SIRT is not aware of any malicious exploitation of these
vulnerabilities.
Solution:
The following software releases have been updated to resolve these specific
issues: Junos Space 17.2R1, and all subsequent releases.
These issues are being tracked as PRs 1322467, 1296620, 1304289, 1322015,
1259822, 1287134, 1296621 and 1320984 which are visible on the Customer Support
website.
Workaround:
Use access lists or firewall filters to limit access to the device only from
trusted hosts and administrators.
Implementation:
Software Releases, patches and updates are available at https://www.juniper.net
/support/downloads/.
Modification History:
2018-01-10: Initial publication
2018-01-12: Include CVE IDs related to PostgreSQL upgrade (PR 1320984)
Related Links:
KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin
Publication Process
KB16765: In which releases are vulnerabilities fixed?
KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories
Report a Vulnerability - How to Contact the Juniper Networks Security
Incident Response Team
CVSS Score:
9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Risk Level:
Critical
Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common
Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."
Acknowledgements:
Juniper SIRT would like to acknowledge and thank the team at cyberhouse.ge for
responsibly reporting CVE-2018-0013.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWlv1BIx+lLeg9Ub1AQg2Ng/+OvrssqJdo0ddMlPHm14+jydLTxFVG68i
mMQoYOpbUF3KHCVnAUZR8h3+PI2S7pWC9mTYb5rPgNXlOI0RqA6mTd6WapFb98g6
fm1gmDXeDXMvDxLxeC7IrX9GxI5ZVBNE0EJC2aCi5XIcLU0cfssRwrFLLyJOeBnW
opng+a27HNmTIpFThF0VWK0mhJ1cPjlix5mPW/AhBh0Dclda6p6ZsBCl3QvBZ3Gx
jlxw63gAaOoExnsVjy788vj2vWAtm0zRGbrFuoMFOomF9shY3AJkpvWPAXaWs5Kq
UDHUSfM3o3qbekpyljCrHuPDX+uNtKA3t7ZzaAeXFh0FH3UVFeMtJ6k9KJXWxuFx
koKfZEgXIQPtEG0kx+YIFah6dnLlFPqjSII6TCgHNJxhZi02o15piNSf0Er33arE
nYuxa1M7yREkGrcMhDPX9UZQ4U3c/ygrsGobylNX+2wwxR0ZFLOA/KghzGnJkSzQ
i3mcCj14rTwcgoyAeOq0aStf0dvYWmv1b8yWsJx079Pfm3xGv/WCl4eJci1+F21I
Qv8PBk0B/yPOHk8AWa96rf36Twkh5ySUOsYXQmYiIF9UoK6Ss5aCjDyC2hbMLiJV
PKzZhOTpzVjsTFfugnjdyka9tDJwuxvr0vZauY99jtDcPAbti5+lfPb4wpc+NoBQ
WIMZ6hc1OeE=
=AY80
-----END PGP SIGNATURE-----