Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.2340
JSA11023 - 2020-07 Security Bulletin: Junos Space and Junos Space Security
Director: Multiple vulnerabilities resolved in 20.1R1 release
9 July 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Junos Space
Publisher: Juniper Networks
Operating System: Juniper
Impact/Access: Root Compromise -- Existing Account
Increased Privileges -- Remote/Unauthenticated
Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-1652 CVE-2019-3863 CVE-2019-3862
CVE-2019-3857 CVE-2019-3856 CVE-2019-3855
CVE-2019-0211 CVE-2018-1000613 CVE-2018-1000180
CVE-2018-1000021 CVE-2018-19486 CVE-2018-16881
CVE-2018-11235 CVE-2018-11233 CVE-2018-5382
CVE-2018-5360 CVE-2018-3639 CVE-2017-1000117
CVE-2017-15298 CVE-2017-14867 CVE-2017-13098
CVE-2017-12588 CVE-2017-9935 CVE-2017-7895
CVE-2016-1000352 CVE-2016-1000346 CVE-2016-1000345
CVE-2016-1000344 CVE-2016-1000343 CVE-2016-1000342
CVE-2016-1000341 CVE-2016-1000339 CVE-2016-1000338
CVE-2016-9555 CVE-2016-6663 CVE-2016-6662
CVE-2016-6136 CVE-2016-5616 CVE-2016-5314
CVE-2016-4449 CVE-2016-4448 CVE-2016-4447
CVE-2016-3991 CVE-2016-3990 CVE-2016-3945
CVE-2016-3705 CVE-2016-3632 CVE-2016-3627
CVE-2016-3621 CVE-2016-2324 CVE-2016-1840
CVE-2016-1839 CVE-2016-1838 CVE-2016-1837
CVE-2016-1836 CVE-2016-1835 CVE-2016-1834
CVE-2016-1833 CVE-2016-1762 CVE-2016-0787
CVE-2015-7940 CVE-2015-7547 CVE-2015-7545
CVE-2015-7082 CVE-2015-1782 CVE-2015-1421
CVE-2015-1159 CVE-2015-1158 CVE-2014-9938
CVE-2014-9679 CVE-2014-9584 CVE-2014-9529
CVE-2014-8884 CVE-2014-8171 CVE-2014-7826
CVE-2014-7825 CVE-2014-3690 CVE-2014-3683
CVE-2014-3634 CVE-2014-3215 CVE-2013-4758
CVE-2013-4244 CVE-2013-4243 CVE-2013-4232
CVE-2013-1961 CVE-2013-1960 CVE-2013-1624
CVE-2013-0169 CVE-2012-5581 CVE-2012-4564
CVE-2012-4447 CVE-2012-3401 CVE-2012-2113
CVE-2012-2088 CVE-2012-1173 CVE-2011-3200
CVE-2011-1167 CVE-2011-0192 CVE-2010-2067
CVE-2010-2065 CVE-2010-1411 CVE-2009-5022
CVE-2009-2347 CVE-2008-2327 CVE-2006-2656
CVE-2006-2193
Reference: ESB-2019.2561
ESB-2019.0130
ESB-2017.0091
Original Bulletin:
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA11023
- --------------------------BEGIN INCLUDED TEXT--------------------
2020-07 Security Bulletin: Junos Space and Junos Space Security Director: Multiple vulnerabilities resolved in 20.1R1 release
Article ID : JSA11023
Last Updated: 08 Jul 2020
Version : 4.0
Product Affected:
This issue affects Junos Space. This issue affects Junos Space Security
Director.
Problem:
Multiple vulnerabilities have been resolved in the Junos Space and Junos Space
Security Director 20.1R1 release by updating third party software included with
Junos Space and Junos Space Security Director or by fixing vulnerabilities
found during internal testing.
These issues affect:
Juniper Networks Junos Space and Junos Space Security Director versions prior
to 20.1R1.
These issue affects:
Juniper Networks Junos Space versions prior to 20.1R1.
Juniper Networks Junos Space Security Director versions prior to 20.1R1.
This issues were discovered during an external security research.
Important security issues resolved include:
CVE CVSS Summary
5.5 ( Systems with microprocessors utilizing speculative
CVSS:3.0/ execution and speculative execution of memory
AV:L/AC:L/ reads before the addresses of all prior memory
CVE-2018-3639 PR:L/UI:N/ writes are known may allow unauthorized disclosure
S:U/C:H/I:N of information to an attacker with local user
/A:N ) access via a side-channel analysis, aka
Speculative Store Bypass (SSB), Variant 4.
In Apache HTTP Server 2.4 releases 2.4.17 to
7.8 ( 2.4.38, with MPM event, worker or prefork, code
CVSS:3.0/ executing in less-privileged child processes or
CVE-2019-0211 AV:L/AC:L/ threads (including scripts executed by an
PR:L/UI:N/ in-process scripting interpreter) could execute
S:U/C:H/I:H arbitrary code with the privileges of the parent
/A:H ) process (usually root) by manipulating the
scoreboard. Non-Unix systems are not affected.
seunshare in policycoreutils 2.2.5 is owned by
root with 4755 permissions, and executes programs
6.9 AV:L/ in a way that changes the relationship between the
CVE-2014-3215 AC:M/Au:N/ setuid system call and the getresuid saved
C:C/I:C/A:C set-user-ID value, which makes it easier for local
users to gain privileges by leveraging a program
that mistakenly expected that it could permanently
drop privileges.
arch/x86/kvm/vmx.c in the KVM subsystem in the
Linux kernel before 3.17.2 on Intel processors
4.9 (AV:L/ does not ensure that the value in the CR4 control
AC:L/Au:N/ register remains the same after a VM entry, which
CVE-2014-3690 C:N/I:N/ allows host OS users to kill arbitrary processes
A:C) or cause a denial of service (system disruption)
by leveraging /dev/kvm access, as demonstrated by
PR_SET_TSC prctl calls within a modified copy of
QEMU.
kernel/trace/trace_syscalls.c in the Linux kernel
4.9 (AV:L/ through 3.17.2 does not properly handle private
AC:L/Au:N/ syscall numbers during use of the perf subsystem,
CVE-2014-7825 C:N/I:N/ which allows local users to cause a denial of
A:C) service (out-of-bounds read and OOPS) or bypass
the ASLR protection mechanism via a crafted
application.
kernel/trace/trace_syscalls.c in the Linux kernel
4.6 (AV:L/ through 3.17.2 does not properly handle private
CVE-2014-7826 AC:L/Au:N/ syscall numbers during use of the ftrace
C:P/I:P/ subsystem, which allows local users to gain
A:P) privileges or cause a denial of service (invalid
pointer dereference) via a crafted application.
5.5 (
CVSS:3.0/ The memory resource controller (aka memcg) in the
CVE-2014-8171 AV:L/AC:L/ Linux kernel allows local users to cause a denial
PR:L/UI:N/ of service (deadlock) by spawning new processes
S:U/C:N/I:N within a memory-constrained cgroup.
/A:H )
Stack-based buffer overflow in the
6.1 (AV:L/ ttusbdecfe_dvbs_diseqc_send_master_cmd function in
AC:L/Au:N/ drivers/media/usb/ttusb-dec/ttusbdecfe.c in the
CVE-2014-8884 C:P/I:P/ Linux kernel before 3.17.4 allows local users to
A:C) cause a denial of service (system crash) or
possibly gain privileges via a large message
length in an ioctl call.
Race condition in the key_gc_unused_keys function
in security/keys/gc.c in the Linux kernel through
6.9 AV:L/ 3.18.2 allows local users to cause a denial of
CVE-2014-9529 AC:M/Au:N/ service (memory corruption or panic) or possibly
C:C/I:C/A:C have unspecified other impact via keyctl commands
that trigger access to a key structure member
during garbage collection of a key.
The parse_rock_ridge_inode_internal function in fs
2.1 AV:L/ /isofs/rock.c in the Linux kernel before 3.18.2
CVE-2014-9584 AC:L/Au:N/ does not validate a length value in the Extensions
C:P/I:N/A:N Reference (ER) System Use Field, which allows
local users to obtain sensitive information from
kernel memory via a crafted iso9660 image.
Integer underflow in the cupsRasterReadPixels
6.8 AV:N/ function in filter/raster.c in CUPS before 2.0.2
CVE-2014-9679 AC:M/Au:N/ allows remote attackers to have unspecified impact
C:P/I:P/A:P via a malformed compressed raster file, which
triggers a buffer overflow.
The add_job function in scheduler/ipp.c in cupsd
in CUPS before 2.0.3 performs incorrect free
10.0 (AV:N/ operations for multiple-value
AC:L/Au:N/ job-originating-host-name attributes, which allows
CVE-2015-1158 C:C/I:C/ remote attackers to trigger data corruption for
A:C) reference-counted strings via a crafted (1)
IPP_CREATE_JOB or (2) IPP_PRINT_JOB request, as
demonstrated by replacing the configuration file
and consequently executing arbitrary code.
4.3 (AV:N/ Cross-site scripting (XSS) vulnerability in the
AC:M/Au:N/ cgi_puts function in cgi-bin/template.c in the
CVE-2015-1159 C:N/I:P/ template engine in CUPS before 2.0.3 allows remote
A:N) attackers to inject arbitrary web script or HTML
via the QUERY parameter to help/.
Use-after-free vulnerability in the
10.0 (AV:N/ sctp_assoc_update function in net/sctp/associola.c
AC:L/Au:N/ in the Linux kernel before 3.18.8 allows remote
CVE-2015-1421 C:C/I:C/ attackers to cause a denial of service (slab
A:C) corruption and panic) or possibly have unspecified
other impact by triggering an INIT collision that
leads to improper handling of shared-key data.
Multiple stack-based buffer overflows in the (1)
send_dg and (2) send_vc functions in the libresolv
8.1 ( library in the GNU C Library (aka glibc or libc6)
CVSS:3.0/ before 2.23 allow remote attackers to cause a
CVE-2015-7547 AV:N/AC:H/ denial of service (crash) or possibly execute
PR:N/UI:N/ arbitrary code via a crafted DNS response that
S:U/C:H/I:H triggers a call to the getaddrinfo function with
/A:H ) the AF_UNSPEC or AF_INET6 address family, related
to performing "dual A/AAAA DNS queries" and the
libnss_dns.so.2 NSS module.
8.1 (
CVSS:3.0/ The xmlNextChar function in libxml2 before 2.9.4
CVE-2016-1762 AV:N/AC:L/ allows remote attackers to cause a denial of
PR:N/UI:R/ service (heap-based buffer over-read) via a
S:U/C:H/I:N crafted XML document.
/A:H )
5.5 ( The htmlCurrentChar function in libxml2 before
CVSS:3.0/ 2.9.4, as used in Apple iOS before 9.3.2, OS X
CVE-2016-1833 AV:L/AC:L/ before 10.11.5, tvOS before 9.2.1, and watchOS
PR:N/UI:R/ before 2.2.1, allows remote attackers to cause a
S:U/C:N/I:N denial of service (heap-based buffer over-read)
/A:H ) via a crafted XML document.
7.8 ( Heap-based buffer overflow in the xmlStrncat
CVSS:3.0/ function in libxml2 before 2.9.4, as used in Apple
AV:L/AC:L/ iOS before 9.3.2, OS X before 10.11.5, tvOS before
CVE-2016-1834 PR:N/UI:R/ 9.2.1, and watchOS before 2.2.1, allows remote
S:U/C:H/I:H attackers to execute arbitrary code or cause a
/A:H ) denial of service (memory corruption) via a
crafted XML document.
8.8 ( Use-after-free vulnerability in the
CVSS:3.0/ xmlSAX2AttributeNs function in libxml2 before
CVE-2016-1835 AV:N/AC:L/ 2.9.4, as used in Apple iOS before 9.3.2 and OS X
PR:N/UI:R/ before 10.11.5, allows remote attackers to cause a
S:U/C:H/I:H denial of service via a crafted XML document.
/A:H )
5.5 ( Use-after-free vulnerability in the
CVSS:3.0/ xmlDictComputeFastKey function in libxml2 before
CVE-2016-1836 AV:L/AC:L/ 2.9.4, as used in Apple iOS before 9.3.2, OS X
PR:N/UI:R/ before 10.11.5, tvOS before 9.2.1, and watchOS
S:U/C:N/I:N before 2.2.1, allows remote attackers to cause a
/A:H ) denial of service via a crafted XML document.
5.5 ( Multiple use-after-free vulnerabilities in the (1)
CVSS:3.0/ htmlPArsePubidLiteral and (2)
AV:L/AC:L/ htmlParseSystemiteral functions in libxml2 before
CVE-2016-1837 PR:N/UI:R/ 2.9.4, as used in Apple iOS before 9.3.2, OS X
S:U/C:N/I:N before 10.11.5, tvOS before 9.2.1, and watchOS
/A:H ) before 2.2.1, allow remote attackers to cause a
denial of service via a crafted XML document.
5.5 ( The xmlPArserPrintFileContextInternal function in
CVSS:3.0/ libxml2 before 2.9.4, as used in Apple iOS before
CVE-2016-1838 AV:L/AC:L/ 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and
PR:N/UI:R/ watchOS before 2.2.1, allows remote attackers to
S:U/C:N/I:N cause a denial of service (heap-based buffer
/A:H ) over-read) via a crafted XML document.
5.5 ( The xmlDictAddString function in libxml2 before
CVSS:3.0/ 2.9.4, as used in Apple iOS before 9.3.2, OS X
CVE-2016-1839 AV:L/AC:L/ before 10.11.5, tvOS before 9.2.1, and watchOS
PR:N/UI:R/ before 2.2.1, allows remote attackers to cause a
S:U/C:N/I:N denial of service (heap-based buffer over-read)
/A:H ) via a crafted XML document.
7.8 ( Heap-based buffer overflow in the
CVSS:3.0/ xmlFAParsePosCharGroup function in libxml2 before
AV:L/AC:L/ 2.9.4, as used in Apple iOS before 9.3.2, OS X
CVE-2016-1840 PR:N/UI:R/ before 10.11.5, tvOS before 9.2.1, and watchOS
S:U/C:H/I:H before 2.2.1, allows remote attackers to execute
/A:H ) arbitrary code or cause a denial of service
(memory corruption) via a crafted XML document.
7.5 ( The xmlStringGetNodeList function in tree.c in
CVSS:3.0/ libxml2 2.9.3 and earlier, when used in recovery
CVE-2016-3627 AV:N/AC:L/ mode, allows context-dependent attackers to cause
PR:N/UI:N/ a denial of service (infinite recursion, stack
S:U/C:N/I:N consumption, and application crash) via a crafted
/A:H ) XML document.
The (1) xmlParserEntityCheck and (2)
7.5 ( xmlParseAttValueComplex functions in parser.c in
CVSS:3.0/ libxml2 2.9.3 do not properly keep track of the
CVE-2016-3705 AV:N/AC:L/ recursion depth, which allows context-dependent
PR:N/UI:N/ attackers to cause a denial of service (stack
S:U/C:N/I:N consumption and application crash) via a crafted
/A:H ) XML document containing a large number of nested
entity references.
7.5 ( The xmlParseElementDecl function in parser.c in
CVSS:3.0/ libxml2 before 2.9.4 allows context-dependent
CVE-2016-4447 AV:N/AC:L/ attackers to cause a denial of service (heap-based
PR:N/UI:N/ buffer underread and application crash) via a
S:U/C:N/I:N crafted file, involving xmlParseName.
/A:H )
10.0 AV:N/ Format string vulnerability in libxml2 before
CVE-2016-4448 AC:L/Au:N/ 2.9.4 allows attackers to have unspecified impact
C:C/I:C/A:C via format string specifiers in unknown vectors.
7.1 ( XML external entity (XXE) vulnerability in the
CVSS:3.0/ xmlStringLenDecodeEntities function in parser.c in
CVE-2016-4449 AV:L/AC:L/ libxml2 before 2.9.4, when not in validating mode,
PR:N/UI:R/ allows context-dependent attackers to read
S:U/C:H/I:N arbitrary files or cause a denial of service
/A:H ) (resource consumption) via unspecified vectors.
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER.
ConsultIDs: CVE-2016-6663. Reason: This candidate
is a reservation duplicate of CVE-2016-6663.
CVE-2016-5616 Notes: All CVE users should reference
CVE-2016-6663 instead of this candidate. All
references and descriptions in this candidate have
been removed to prevent accidental usage.
4.7 ( Race condition in the audit_log_single_execve_arg
CVSS:3.0/ function in kernel/auditsc.c in the Linux kernel
CVE-2016-6136 AV:L/AC:H/ through 4.7 allows local users to bypass intended
PR:L/UI:N/ character-set restrictions or disrupt system-call
S:U/C:N/I:H auditing by changing a certain string, aka a
/A:N ) "double fetch" vulnerability.
Oracle MySQL through 5.5.52, 5.6.x through 5.6.33,
and 5.7.x through 5.7.15; MariaDB before 5.5.51,
10.0.x before 10.0.27, and 10.1.x before 10.1.17;
and Percona Server before 5.5.51-38.1, 5.6.x
9.8 ( before 5.6.32-78.0, and 5.7.x before 5.7.14-7
CVSS:3.0/ allow local users to create arbitrary
AV:N/AC:L/ configurations and bypass certain protection
CVE-2016-6662 PR:N/UI:N/ mechanisms by setting general_log_file to a my.cnf
S:U/C:H/I:H configuration. NOTE: this can be leveraged to
/A:H ) execute arbitrary code with root privileges by
setting malloc_lib. NOTE: the affected MySQL
version information is from Oracle's October 2016
CPU. Oracle has not commented on third-party
claims that the issue was silently patched in
MySQL 5.5.52, 5.6.33, and 5.7.15.
Race condition in Oracle MySQL before 5.5.52,
5.6.x before 5.6.33, 5.7.x before 5.7.15, and 8.x
7.0 ( before 8.0.1; MariaDB before 5.5.52, 10.0.x before
CVSS:3.0/ 10.0.28, and 10.1.x before 10.1.18; Percona Server
AV:L/AC:H/ before 5.5.51-38.2, 5.6.x before 5.6.32-78-1, and
CVE-2016-6663 PR:L/UI:N/ 5.7.x before 5.7.14-8; and Percona XtraDB Cluster
S:U/C:H/I:H before 5.5.41-37.0, 5.6.x before 5.6.32-25.17, and
/A:H ) 5.7.x before 5.7.14-26.17 allows local users with
certain permissions to gain privileges by
leveraging use of my_copystat by REPAIR TABLE to
repair a MyISAM table.
9.8 ( The sctp_sf_ootb function in net/sctp/
CVSS:3.0/ sm_statefuns.c in the Linux kernel before 4.8.8
AV:N/AC:L/ lacks chunk-length checking for the first chunk,
CVE-2016-9555 PR:N/UI:N/ which allows remote attackers to cause a denial of
S:U/C:H/I:H service (out-of-bounds slab access) or possibly
/A:H ) have unspecified other impact via crafted SCTP
data.
9.8 ( The NFSv2 and NFSv3 server implementations in the
CVSS:3.0/ Linux kernel through 4.10.13 lack certain checks
AV:N/AC:L/ for the end of a buffer, which allows remote
CVE-2017-7895 PR:N/UI:N/ attackers to trigger pointer-arithmetic errors or
S:U/C:H/I:H possibly have unspecified other impact via crafted
/A:H ) requests, related to fs/nfsd/nfs3xdr.c and fs/nfsd
/nfsxdr.c.
Buffer overflow in the t2p_write_pdf_string
function in tiff2pdf in libtiff 3.8.2 and earlier
7.5 (AV:N/ allows attackers to cause a denial of service
AC:L/Au:N/ (crash) and possibly execute arbitrary code via a
CVE-2006-2193 C:P/I:P/ TIFF file with a DocumentName tag that contains
A:P) UTF-8 characters, which triggers the overflow when
a character is sign extended to an integer that
produces more digits than expected in an sprintf
call.
Stack-based buffer overflow in the tiffsplit
command in libtiff 3.8.2 and earlier might might
7.5 (AV:N/ allow attackers to execute arbitrary code via a
CVE-2006-2656 AC:L/Au:N/ long filename. NOTE: tiffsplit is not setuid. If
C:P/I:P/ there is not a common scenario under which
A:P) tiffsplit is called with attacker-controlled
command line arguments, then perhaps this issue
should not be included in CVE.
Multiple buffer underflows in the (1) LZWDecode,
6.8 (AV:N/ (2) LZWDecodeCompat, and (3) LZWDecodeVector
AC:M/Au:N/ functions in tif_lzw.c in the LZW decoder in
CVE-2008-2327 C:P/I:P/ LibTIFF 3.8.2 and earlier allow context-dependent
A:P) attackers to execute arbitrary code via a crafted
TIFF file, related to improper handling of the
CODE_CLEAR code.
Multiple integer overflows in inter-color spaces
conversion tools in libtiff 3.8 through 3.8.2,
9.3 (AV:N/ 3.9, and 4.0 allow context-dependent attackers to
CVE-2009-2347 AC:M/Au:N/ execute arbitrary code via a TIFF image with large
C:C/I:C/ (1) width and (2) height values, which triggers a
A:C) heap-based buffer overflow in the (a)
cvt_whole_image function in tiff2rgba and (b)
tiffcvt function in rgb2ycbcr.
6.8 (AV:N/ Heap-based buffer overflow in tif_ojpeg.c in the
CVE-2009-5022 AC:M/Au:N/ OJPEG decoder in LibTIFF before 3.9.5 allows
C:P/I:P/ remote attackers to execute arbitrary code via a
A:P) crafted TIFF file.
Multiple integer overflows in the Fax3SetupState
function in tif_fax3.c in the FAX3 decoder in
6.8 (AV:N/ LibTIFF before 3.9.3, as used in ImageIO in Apple
CVE-2010-1411 AC:M/Au:N/ Mac OS X 10.5.8 and Mac OS X 10.6 before 10.6.4,
C:P/I:P/ allow remote attackers to execute arbitrary code
A:P) or cause a denial of service (application crash)
via a crafted TIFF file that triggers a heap-based
buffer overflow.
6.8 (AV:N/ Integer overflow in the TIFFroundup macro in
AC:M/Au:N/ LibTIFF before 3.9.3 allows remote attackers to
CVE-2010-2065 C:P/I:P/ cause a denial of service (application crash) or
A:P) possibly execute arbitrary code via a crafted TIFF
file that triggers a buffer overflow.
Stack-based buffer overflow in the
6.8 AV:N/ TIFFFetchSubjectDistance function in tif_dirread.c
CVE-2010-2067 AC:M/Au:N/ in LibTIFF before 3.9.4 allows remote attackers to
C:P/I:P/A:P cause a denial of service (application crash) or
possibly execute arbitrary code via a long EXIF
SubjectDistance field in a TIFF file.
Buffer overflow in Fax4Decode in LibTIFF 3.9.4 and
possibly other versions, as used in ImageIO in
Apple iTunes before 10.2 on Windows and other
9.3 (AV:N/ products, allows remote attackers to execute
CVE-2011-0192 AC:M/Au:N/ arbitrary code or cause a denial of service
C:C/I:C/ (application crash) via a crafted TIFF Internet
A:C) Fax image file that has been compressed using
CCITT Group 4 encoding, related to the EXPAND2D
macro in libtiff/tif_fax3.h. NOTE: some of these
details are obtained from third party information.
Heap-based buffer overflow in the thunder (aka
6.8 (AV:N/ ThunderScan) decoder in tif_thunder.c in LibTIFF
CVE-2011-1167 AC:M/Au:N/ 3.9.4 and earlier allows remote attackers to
C:P/I:P/ execute arbitrary code via crafted
A:P) THUNDER_2BITDELTAS data in a .tiff file that has
an unexpected BitsPerSample value.
Multiple integer overflows in tiff_getimage.c in
6.8 (AV:N/ LibTIFF 3.9.4 allow remote attackers to execute
CVE-2012-1173 AC:M/Au:N/ arbitrary code via a crafted tile size in a TIFF
C:P/I:P/ file, which is not properly handled by the (1)
A:P) gtTileSeparate or (2) gtStripSeparate function,
leading to a heap-based buffer overflow.
Integer signedness error in the TIFFReadDirectory
function in tif_dirread.c in libtiff 3.9.4 and
7.5 (AV:N/ earlier allows remote attackers to cause a denial
CVE-2012-2088 AC:L/Au:N/ of service (application crash) and possibly
C:P/I:P/ execute arbitrary code via a negative tile depth
A:P) in a tiff image, which triggers an improper
conversion between signed and unsigned types,
leading to a heap-based buffer overflow.
6.8 (AV:N/ Multiple integer overflows in tiff2pdf in libtiff
AC:M/Au:N/ before 4.0.2 allow remote attackers to cause a
CVE-2012-2113 C:P/I:P/ denial of service (application crash) or possibly
A:P) execute arbitrary code via a crafted tiff image,
which triggers a heap-based buffer overflow.
The t2p_read_tiff_init function in tiff2pdf (tools
/tiff2pdf.c) in LibTIFF 4.0.2 and earlier does not
6.8 (AV:N/ properly initialize the T2P context struct pointer
CVE-2012-3401 AC:M/Au:N/ in certain error conditions, which allows
C:P/I:P/ context-dependent attackers to cause a denial of
A:P) service (crash) and possibly execute arbitrary
code via a crafted TIFF image that triggers a
heap-based buffer overflow.
6.8 (AV:N/ Heap-based buffer overflow in tif_pixarlog.c in
AC:M/Au:N/ LibTIFF before 4.0.3 allows remote attackers to
CVE-2012-4447 C:P/I:P/ cause a denial of service (application crash) and
A:P) possibly execute arbitrary code via a crafted TIFF
image using the PixarLog Compression format.
ppm2tiff does not check the return value of the
6.8 (AV:N/ TIFFScanlineSize function, which allows remote
AC:M/Au:N/ attackers to cause a denial of service (crash) and
CVE-2012-4564 C:P/I:P/ possibly execute arbitrary code via a crafted PPM
A:P) image that triggers an integer overflow, a
zero-memory allocation, and a heap-based buffer
overflow.
6.8 (AV:N/ Stack-based buffer overflow in tif_dir.c in
AC:M/Au:N/ LibTIFF before 4.0.2 allows remote attackers to
CVE-2012-5581 C:P/I:P/ cause a denial of service (crash) and possibly
A:P) execute arbitrary code via a crafted DOTRANGE tag
in a TIFF image.
Heap-based buffer overflow in the
9.3 (AV:N/ t2p_process_jpeg_strip function in tiff2pdf in
CVE-2013-1960 AC:M/Au:N/ libtiff 4.0.3 and earlier allows remote attackers
C:C/I:C/ to cause a denial of service (crash) and possibly
A:C) execute arbitrary code via a crafted TIFF image
file.
Stack-based buffer overflow in the
9.3 (AV:N/ t2p_write_pdf_page function in tiff2pdf in libtiff
CVE-2013-1961 AC:M/Au:N/ before 4.0.3 allows remote attackers to cause a
C:C/I:C/ denial of service (application crash) via a
A:C) crafted image length and resolution in a TIFF
image file.
Use-after-free vulnerability in the
6.8 (AV:N/ t2p_readwrite_pdf_image function in tools/
CVE-2013-4232 AC:M/Au:N/ tiff2pdf.c in libtiff 4.0.3 allows remote
C:P/I:P/ attackers to cause a denial of service (crash) or
A:P) possibly execute arbitrary code via a crafted TIFF
image.
Heap-based buffer overflow in the readgifimage
6.8 (AV:N/ function in the gif2tiff tool in libtiff 4.0.3 and
CVE-2013-4243 AC:M/Au:N/ earlier allows remote attackers to cause a denial
C:P/I:P/ of service (crash) and possibly execute arbitrary
A:P) code via a crafted height and width values in a
GIF image.
6.8 (AV:N/ The LZW decompressor in the gif2tiff tool in
AC:M/Au:N/ libtiff 4.0.3 and earlier allows context-dependent
CVE-2013-4244 C:P/I:P/ attackers to cause a denial of service
A:P) (out-of-bounds write and crash) or possibly
execute arbitrary code via a crafted GIF image.
8.8 ( The LZWEncode function in tif_lzw.c in the
CVSS:3.0/ bmp2tiff tool in LibTIFF 4.0.6 and earlier, when
CVE-2016-3621 AV:N/AC:L/ the "-c lzw" option is used, allows remote
PR:N/UI:R/ attackers to cause a denial of service (buffer
S:U/C:H/I:H over-read) via a crafted BMP image.
/A:H )
7.8 ( The _TIFFVGetField function in tif_dirinfo.c in
CVSS:3.0/ LibTIFF 4.0.6 and earlier allows remote attackers
CVE-2016-3632 AV:L/AC:L/ to cause a denial of service (out-of-bounds write)
PR:N/UI:R/ or execute arbitrary code via a crafted TIFF
S:U/C:H/I:H image.
/A:H )
7.8 ( Multiple integer overflows in the (1) cvt_by_strip
CVSS:3.0/ and (2) cvt_by_tile functions in the tiff2rgba
AV:L/AC:L/ tool in LibTIFF 4.0.6 and earlier, when -b mode is
CVE-2016-3945 PR:N/UI:R/ enabled, allow remote attackers to cause a denial
S:U/C:H/I:H of service (crash) or execute arbitrary code via a
/A:H ) crafted TIFF image, which triggers an
out-of-bounds write.
7.8 ( Heap-based buffer overflow in the
CVSS:3.0/ horizontalDifference8 function in tif_pixarlog.c
CVE-2016-3990 AV:L/AC:L/ in LibTIFF 4.0.6 and earlier allows remote
PR:N/UI:R/ attackers to cause a denial of service (crash) or
S:U/C:H/I:H execute arbitrary code via a crafted TIFF image to
/A:H ) tiffcp.
7.8 ( Heap-based buffer overflow in the loadImage
CVSS:3.0/ function in the tiffcrop tool in LibTIFF 4.0.6 and
CVE-2016-3991 AV:L/AC:L/ earlier allows remote attackers to cause a denial
PR:N/UI:R/ of service (out-of-bounds write) or execute
S:U/C:H/I:H arbitrary code via a crafted TIFF image with zero
/A:H ) tiles.
8.8 ( Buffer overflow in the PixarLogDecode function in
CVSS:3.0/ tif_pixarlog.c in LibTIFF 4.0.6 and earlier allows
AV:N/AC:L/ remote attackers to cause a denial of service
CVE-2016-5314 PR:N/UI:R/ (application crash) or possibly have unspecified
S:U/C:H/I:H other impact via a crafted TIFF image, as
/A:H ) demonstrated by overwriting the vgetparent
function pointer with rgb2ycbcr.
In LibTIFF 4.0.8, there is a heap-based buffer
overflow in the t2p_write_pdf function in tools/
8.8 ( tiff2pdf.c. This heap overflow could lead to
CVSS:3.0/ different damages. For example, a crafted TIFF
CVE-2017-9935 AV:N/AC:L/ document can lead to an out-of-bounds read in
PR:N/UI:R/ TIFFCleanup, an invalid free in TIFFClose or
S:U/C:H/I:H t2p_free, memory corruption in
/A:H ) t2p_readwrite_pdf_image, or a double free in
t2p_free. Given these possibilities, it probably
could cause arbitrary code execution.
8.8 (
CVSS:3.0/ LibTIFF before 4.0.6 mishandles the reading of
CVE-2018-5360 AV:N/AC:L/ TIFF files, as demonstrated by a heap-based buffer
PR:N/UI:R/ over-read in the ReadTIFFImage function in coders/
S:U/C:H/I:H tiff.c in GraphicsMagick 1.3.27.
/A:H )
8.8 ( An integer overflow flaw which could lead to an
CVSS:3.0/ out of bounds write was discovered in libssh2
CVE-2019-3855 AV:N/AC:L/ before 1.8.1 in the way packets are read from the
PR:N/UI:R/ server. A remote attacker who compromises a SSH
S:U/C:H/I:H server may be able to execute code on the client
/A:H ) system when a user connects to the server.
6.8 (AV:N/ The kex_agree_methods function in libssh2 before
AC:M/Au:N/ 1.5.0 allows remote servers to cause a denial of
CVE-2015-1782 C:P/I:P/ service (crash) or have other unspecified impact
A:P) via crafted length values in an SSH_MSG_KEXINIT
packet.
8.8 ( An integer overflow flaw, which could lead to an
CVSS:3.0/ out of bounds write, was discovered in libssh2
CVE-2019-3856 AV:N/AC:L/ before 1.8.1 in the way keyboard prompt requests
PR:N/UI:R/ are parsed. A remote attacker who compromises a
S:U/C:H/I:H SSH server may be able to execute code on the
/A:H ) client system when a user connects to the server.
8.8 ( An integer overflow flaw which could lead to an
CVSS:3.0/ out of bounds write was discovered in libssh2
AV:N/AC:L/ before 1.8.1 in the way SSH_MSG_CHANNEL_REQUEST
CVE-2019-3857 PR:N/UI:R/ packets with an exit signal are parsed. A remote
S:U/C:H/I:H attacker who compromises a SSH server may be able
/A:H ) to execute code on the client system when a user
connects to the server.
8.8 ( A flaw was found in libssh2 before 1.8.1. A server
CVSS:3.0/ could send a multiple keyboard interactive
CVE-2019-3863 AV:N/AC:L/ response messages whose total length are greater
PR:N/UI:R/ than unsigned char max characters. This value is
S:U/C:H/I:H used as an index to copy memory causing in an out
/A:H ) of bounds memory write error.
9.1 ( An out of bounds read flaw was discovered in
CVSS:3.0/ libssh2 before 1.8.1 in the way
AV:N/AC:L/ SSH_MSG_CHANNEL_REQUEST packets with an exit
CVE-2019-3862 PR:N/UI:N/ status message and no payload are parsed. A remote
S:U/C:H/I:N attacker who compromises a SSH server may be able
/A:H ) to cause a Denial of Service or read data in the
client memory.
5.9 ( The diffie_hellman_sha256 function in kex.c in
CVSS:3.0/ libssh2 before 1.7.0 improperly truncates secrets
CVE-2016-0787 AV:N/AC:H/ to 128 or 256 bits, which makes it easier for
PR:N/UI:N/ man-in-the-middle attackers to decrypt or
S:U/C:H/I:N intercept SSH sessions via unspecified vectors,
/A:N ) aka a "bits/bytes confusion bug."
10.0 (AV:N/ Multiple unspecified vulnerabilities in Git before
CVE-2015-7082 AC:L/Au:N/ 2.5.4, as used in Apple Xcode before 7.2, have
C:C/I:C/ unknown impact and attack vectors. NOTE: this CVE
A:C) is associated only with Xcode use cases.
9.8 (
CVSS:3.0/ Integer overflow in Git before 2.7.4 allows remote
CVE-2016-2324 AV:N/AC:L/ attackers to execute arbitrary code via a (1) long
PR:N/UI:N/ filename or (2) many nested trees, which triggers
S:U/C:H/I:H a heap-based buffer overflow.
/A:H )
Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x
8.8 ( before 2.12.5, 2.13.x before 2.13.6, and 2.14.x
CVSS:3.0/ before 2.14.2 uses unsafe Perl scripts to support
CVE-2017-14867 AV:N/AC:L/ subcommands such as cvsserver, which allows
PR:L/UI:N/ attackers to execute arbitrary OS commands via
S:U/C:H/I:H shell metacharacters in a module name. The
/A:H ) vulnerable code is reachable via git-shell even
without CVS support.
The (1) git-remote-ext and (2) unspecified other
9.8 ( remote helper programs in Git before 2.3.10, 2.4.x
CVSS:3.0/ before 2.4.10, 2.5.x before 2.5.4, and 2.6.x
CVE-2015-7545 AV:N/AC:L/ before 2.6.1 do not properly restrict the allowed
PR:N/UI:N/ protocols, which might allow remote attackers to
S:U/C:H/I:H execute arbitrary code via a URL in a (a)
/A:H ) .gitmodules file or (b) unknown other sources in a
submodule.
9.8 ( Git before 2.19.2 on Linux and UNIX executes
CVSS:3.0/ commands from the current working directory (as if
CVE-2018-19486 AV:N/AC:L/ '.' were at the end of $PATH) in certain cases
PR:N/UI:N/ involving the run_command() API and run-command.c,
S:U/C:H/I:H because there was a dangerous change from execvp
/A:H ) to execv during 2017.
8.8 ( GIT version 2.15.1 and earlier contains a Input
CVSS:3.0/ Validation Error vulnerability in Client that can
AV:N/AC:L/ result in problems including messing up terminal
CVE-2018-1000021 PR:N/UI:R/ configuration to RCE. This attack appear to be
S:U/C:H/I:H exploitable via The user must interact with a
/A:H ) malicious git server, (or have their traffic
modified in a MITM attack).
A malicious third-party can give a crafted "ssh:/
8.8 ( /..." URL to an unsuspecting victim, and an
CVSS:3.0/ attempt to visit the URL can result in any program
AV:N/AC:L/ that exists on the victim's machine being
CVE-2017-1000117 PR:N/UI:R/ executed. Such a URL could be placed in the
S:U/C:H/I:H .gitmodules file of a malicious project, and an
/A:H ) unsuspecting victim could be tricked into running
"git clone --recurse-submodules" to trigger the
vulnerability.
6.8 AV:N/ contrib/completion/git-prompt.sh in Git before
CVE-2014-9938 AC:M/Au:N/ 1.9.3 does not sanitize branch names in the PS1
C:P/I:P/A:P variable, allowing a malicious repository to cause
code execution.
In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x
before 2.15.2, 2.16.x before 2.16.4, and 2.17.x
before 2.17.1, remote code execution can occur.
7.8 ( With a crafted .gitmodules file, a malicious
CVSS:3.0/ project can execute an arbitrary script on a
AV:L/AC:L/ machine that runs "git clone --recurse-submodules"
CVE-2018-11235 PR:N/UI:R/ because submodule "names" are obtained from this
S:U/C:H/I:H file, and then appended to $GIT_DIR/modules,
/A:H ) leading to directory traversal with "../" in a
name. Finally, post-checkout hooks from a
submodule are executed, bypassing the intended
design in which hooks are not obtained from a
remote server.
7.5 (
CVSS:3.0/ In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x
CVE-2018-11233 AV:N/AC:L/ before 2.15.2, 2.16.x before 2.16.4, and 2.17.x
PR:N/UI:N/ before 2.17.1, code to sanity-check pathnames on
S:U/C:H/I:N NTFS can result in reading out-of-bounds memory.
/A:N )
Git through 2.14.2 mishandles layers of tree
5.5 ( objects, which allows remote attackers to cause a
CVSS:3.0/ denial of service (memory consumption) via a
CVE-2017-15298 AV:L/AC:L/ crafted repository, aka a Git bomb. This can also
PR:N/UI:R/ have an impact of disk consumption; however, an
S:U/C:N/I:N affected process typically would not survive its
/A:H ) attempt to build the data structure in memory
before writing to disk.
9.8 ( Bouncy Castle BKS version 1 keystore (BKS-V1)
CVSS:3.0/ files use an HMAC that is only 16 bits long, which
CVE-2018-5382 AV:N/AC:L/ can allow an attacker to compromise the integrity
PR:N/UI:N/ of a BKS-V1 keystore. All BKS-V1 keystores are
S:U/C:H/I:H vulnerable. Bouncy Castle release 1.47 introduces
/A:H ) BKS version 2, which uses a 160-bit MAC.
Legion of the Bouncy Castle Legion of the Bouncy
Castle Java Cryptography APIs 1.58 up to but not
including 1.60 contains a CWE-470: Use of
Externally-Controlled Input to Select Classes or
9.8 ( Code ('Unsafe Reflection') vulnerability in XMSS/
CVSS:3.0/ XMSS^MT private key deserialization that can
CVE-2018-1000613 AV:N/AC:L/ result in Deserializing an XMSS/XMSS^MT private
PR:N/UI:N/ key can result in the execution of unexpected
S:U/C:H/I:H code. This attack appear to be exploitable via A
/A:H ) handcrafted private key can include references to
unexpected classes which will be picked up from
the class path for the executing application. This
vulnerability appears to have been fixed in 1.60
and later.
7.4 (
CVSS:3.0/ In the Bouncy Castle JCE Provider version 1.55 and
CVE-2016-1000344 AV:N/AC:H/ earlier the DHIES implementation allowed the use
PR:N/UI:N/ of ECB mode. This mode is regarded as unsafe and
S:U/C:H/I:H support for it has been removed from the provider.
/A:N )
7.4 (
CVSS:3.0/ In the Bouncy Castle JCE Provider version 1.55 and
CVE-2016-1000352 AV:N/AC:H/ earlier the ECIES implementation allowed the use
PR:N/UI:N/ of ECB mode. This mode is regarded as unsafe and
S:U/C:H/I:H support for it has been removed from the provider.
/A:N )
The Bouncy Castle Java library before 1.51 does
5.0 AV:N/ not validate a point is withing the elliptic
CVE-2015-7940 AC:L/Au:N/ curve, which makes it easier for remote attackers
C:P/I:N/A:N to obtain private keys via a series of crafted
elliptic curve Diffie Hellman (ECDH) key
exchanges, aka an "invalid curve attack."
In the Bouncy Castle JCE Provider version 1.55 and
7.5 ( earlier ECDSA does not fully validate ASN.1
CVSS:3.0/ encoding of signature on verification. It is
CVE-2016-1000342 AV:N/AC:L/ possible to inject extra elements in the sequence
PR:N/UI:N/ making up the signature and still have it
S:U/C:N/I:H validate, which in some cases may allow the
/A:N ) introduction of 'invisible' data into a signed
structure.
In the Bouncy Castle JCE Provider version 1.55 and
7.5 ( earlier the DSA key pair generator generates a
CVSS:3.0/ weak private key if used with default values. If
AV:N/AC:L/ the JCA key pair generator is not explicitly
CVE-2016-1000343 PR:N/UI:N/ initialised with DSA parameters, 1.55 and earlier
S:U/C:H/I:N generates a private value assuming a 1024 bit key
/A:N ) size. In earlier releases this can be dealt with
by explicitly passing parameters to the key pair
generator.
In the Bouncy Castle JCE Provider version 1.55 and
earlier the primary engine class used for AES was
AESFastEngine. Due to the highly table driven
approach used in the algorithm it turns out that
5.3 ( if the data channel on the CPU can be monitored
CVSS:3.0/ the lookup table accesses are sufficient to leak
CVE-2016-1000339 AV:N/AC:L/ information on the AES key being used. There was
PR:N/UI:N/ also a leak in AESEngine although it was
S:U/C:L/I:N substantially less. AESEngine has been modified to
/A:N ) remove any signs of leakage (testing carried out
on Intel X86-64) and is now the primary AES class
for the BC JCE provider from 1.56. Use of
AESFastEngine is now only recommended where
otherwise deemed appropriate.
In Bouncy Castle JCE Provider version 1.55 and
7.5 ( earlier the DSA does not fully validate ASN.1
CVSS:3.0/ encoding of signature on verification. It is
CVE-2016-1000338 AV:N/AC:L/ possible to inject extra elements in the sequence
PR:N/UI:N/ making up the signature and still have it
S:U/C:N/I:H validate, which in some cases may allow the
/A:N ) introduction of 'invisible' data into a signed
structure.
5.9 ( In the Bouncy Castle JCE Provider version 1.55 and
CVSS:3.0/ earlier DSA signature generation is vulnerable to
AV:N/AC:H/ timing attack. Where timings can be closely
CVE-2016-1000341 PR:N/UI:N/ observed for the generation of signatures, the
S:U/C:H/I:N lack of blinding in 1.55, or earlier, may allow an
/A:N ) attacker to gain information about the signature's
k value and ultimately the private value as well.
3.7 ( In the Bouncy Castle JCE Provider version 1.55 and
CVSS:3.0/ earlier the other party DH public key is not fully
AV:N/AC:H/ validated. This can cause issues as invalid keys
CVE-2016-1000346 PR:N/UI:N/ can be used to reveal details about the other
S:U/C:L/I:N party's private key where static Diffie-Hellman is
/A:N ) in use. As of release 1.56 the key parameters are
checked on agreement calculation.
5.9 ( In the Bouncy Castle JCE Provider version 1.55 and
CVSS:3.0/ earlier the DHIES/ECIES CBC mode vulnerable to
AV:N/AC:H/ padding oracle attack. For BC 1.55 and older, in
CVE-2016-1000345 PR:N/UI:N/ an environment where timings can be easily
S:U/C:H/I:N observed, it is possible with enough observations
/A:N ) to identify when the decryption is failing due to
padding.
BouncyCastle TLS prior to version 1.0.3, when
5.9 ( configured to use the JCE (Java Cryptography
CVSS:3.0/ Extension) for cryptographic functions, provides a
CVE-2017-13098 AV:N/AC:H/ weak Bleichenbacher oracle when any TLS cipher
PR:N/UI:N/ suite using RSA key exchange is negotiated. An
S:U/C:H/I:N attacker can recover the private key from a
/A:N ) vulnerable application. This vulnerability is
referred to as "ROBOT."
The TLS implementation in the Bouncy Castle Java
library before 1.48 and C# library before 1.8 does
not properly consider timing side-channel attacks
4.0 AV:N/ on a noncompliant MAC check operation during the
CVE-2013-1624 AC:H/Au:N/ processing of malformed CBC padding, which allows
C:P/I:P/A:N remote attackers to conduct distinguishing attacks
and plaintext-recovery attacks via statistical
analysis of timing data for crafted packets, a
related issue to CVE-2013-0169.
rsyslog before 7.6.6 and 8.x before 8.4.1 and
7.5 (AV:N/ sysklogd 1.5 and earlier allows remote attackers
CVE-2014-3634 AC:L/Au:N/ to cause a denial of service (crash), possibly
C:P/I:P/ execute arbitrary code, or have other unspecified
A:P) impact via a crafted priority (PRI) value that
triggers an out-of-bounds array access.
9.8 (
CVSS:3.0/ The zmq3 input and output modules in rsyslog
CVE-2017-12588 AV:N/AC:L/ before 8.28.0 interpreted description fields as
PR:N/UI:N/ format strings, possibly allowing a format string
S:U/C:H/I:H attack with unspecified impact.
/A:H )
Double free vulnerability in the writeDataError
6.8 (AV:N/ function in the ElasticSearch plugin
AC:M/Au:N/ (omelasticsearch) in rsyslog before 7.4.2 and
CVE-2013-4758 C:P/I:P/ before 7.5.2 devel, when errorfile is set to local
A:P) logging, allows remote attackers to cause a denial
of service (crash) and possibly execute arbitrary
code via a crafted JSON response.
Stack-based buffer overflow in the
5.0 (AV:N/ parseLegacySyslogMsg function in tools/syslogd.c
CVE-2011-3200 AC:L/Au:N/ in rsyslogd in rsyslog 4.6.x before 4.6.8 and
C:N/I:N/ 5.2.0 through 5.8.4 might allow remote attackers
A:P) to cause a denial of service (application exit)
via a long TAG in a legacy syslog message.
Integer overflow in rsyslog before 7.6.7 and 8.x
5.0 (AV:N/ before 8.4.2 and sysklogd 1.5 and earlier allows
CVE-2014-3683 AC:L/Au:N/ remote attackers to cause a denial of service
C:N/I:N/ (crash) via a large priority (PRI) value. NOTE:
A:P) this vulnerability exists because of an incomplete
fix for CVE-2014-3634.
7.5 ( A denial of service vulnerability was found in
CVSS:3.0/ rsyslog in the imptcp module. An attacker could
CVE-2018-16881 AV:N/AC:L/ send a specially crafted message to the imptcp
PR:N/UI:N/ socket, which would cause rsyslog to crash.
S:U/C:N/I:N Versions before 8.27.0 are vulnerable.
/A:H )
7.5 ( Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA
CVSS:3.0/ 1.0.1 and earlier have a flaw in the Low-level
AV:N/AC:L/ interface to RSA key pair generator, specifically
CVE-2018-1000180 PR:N/UI:N/ RSA Key Pairs generated in low-level API with
S:U/C:H/I:N added certainty may have less M-R tests than
/A:N ) expected. This appears to be fixed in versions BC
1.60 beta 4 and later, BC-FJA 1.0.2 and later.
5.6 (
CVSS:3.1/
CVE-2020-1652 AV:N/AC:H/ OpenNMS is exposed via port 9443
PR:N/UI:N/
S:U/C:L/I:L
/A:L )
Solution:
The following software releases have been updated to resolve this specific
issue: Junos Space and Junos Space Security Director 20.1R1, and all subsequent
releases.
These issues are being tracked as 1482263 , 1482261 , 1482255 , 1482253 ,
1482133 , 1482130 and 1233680 .
Workaround:
There are no workarounds for these issues.
To reduce the risk of exploitation of these issues, use access lists or
firewall filters to limit access to Junos Space to only trusted administrative
networks, hosts and users.
Implementation:
Software Releases, patches and updates are available at https://www.juniper.net
/support/downloads/ .
Modification History:
2020-07-08: Initial Publication.
CVSS Score:
9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Severity Level:
Critical
Severity Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common
Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXwZ+GeNLKJtyKPYoAQj9ag//X0T9lncpilKZnqzWEPPjwRN3qE/SWgqE
ULF9CVrcJyJwW3w3vM9nJ5li/BpQ7HJvlXspuIJYC7cqJFEOG/FQHoZKs1mC66pq
kw46STmxi/r/QkCshqZDYbiE9YtoO9FNmhss2VstwSKhyj0x/tpvo+LsbMPgc8lG
bIZCh935e0Z0uzzTFwMphMoQrIwxzi7uPWdhU5D3qJmP6EUyaj5JaK0EhTSh+9j3
N7ZYMMMU5PZtNeBDrH2TpfT4dX2BgP2+0U0Wj+jfhJh3lhA23myM4QHSY/6ZMf2a
K+gR9pE0g2I07GQVhUuBMunLBmg72rf5z80mvqKDOcJx0gBjug5SRp3lcqoNKXal
NLrb+TtPlgWjMiOGKCTKdy8/TelgB/2ARA2NSSVrHIm2y+tc1TmleTRSB+mfnh5/
Dc2Y4ckKwD9OKCAMwD/908zFxlbpamvUL4xBpEIfOlqEh6IMNH9zDZaKJ2KYh/+K
wKYCDiv9mtgymJ2ZgfWSvSqQjXeolonDAhst8+p8SsqqkDE3Z7KidEG6Kp6uSV8Y
3GUUrWiLo61J7HP47Zg8eSEZkKJAQVeh/RFYlKn4jLdcETQpwVNEloZgYmNehQCm
qjwL2mLvbQcv8lxdQFhcBgSx1QQ09dBm8+rL0KNafcXwNgbmxUBHxkZsKTUSAkF3
mkZS7G9G8uA=
=pQf0
-----END PGP SIGNATURE-----