Operating System:



08 November 2022

Protect yourself against future threats.

Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

          Contrail Networking: Multiple Vulnerabilities have been
              resolved in Contrail Networking release 2011.L5
                              8 November 2022


        AusCERT Security Bulletin Summary

Product:           Contrail Networking
Publisher:         Juniper Networks
Operating System:  Juniper
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-25315 CVE-2022-25236 CVE-2022-25235
                   CVE-2022-23852 CVE-2022-22824 CVE-2022-22823
                   CVE-2022-22822 CVE-2021-45960 CVE-2021-43527
                   CVE-2021-42771 CVE-2021-42550 CVE-2021-35550
                   CVE-2021-31535 CVE-2021-28165 CVE-2021-4034
                   CVE-2021-3177 CVE-2019-9518 CVE-2019-0205
                   CVE-2017-5929 CVE-2016-4658 

Original Bulletin: 

Comment: CVSS (Max):  9.8 CVE-2022-25315 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
         CVSS Source: NVD
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

- --------------------------BEGIN INCLUDED TEXT--------------------

Article ID:       JSA69897

Product Affected: These issues affect Contrail Networking version 2011.

Severity Level:   Critical

CVSS Score:       9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


Multiple vulnerabilities in third party software used in Juniper Networks 
Contrail Networking have been resolved in release 2011.L5.

These issues affect Juniper Networks Contrail Networking versions prior to 

These issues were discovered during external security research.

Important security issues resolved include:

CVE		CVSS	Summary

CVE-2021-28165	7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)	In 
Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 
11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.

CVE-2019-0205	7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)	In 
Apache Thrift all versions up to and including 0.12.0, a server or client may 
run into an endless loop when feed with specific input data. Because the issue 
had already been partially fixed in version 0.11.0, depending on the installed 
version it affects only certain language bindings.

CVE-2017-5929	9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)	QOS.ch 
Logback before 1.2.0 has a serialization vulnerability affecting the 
SocketServer and ServerSocketReceiver components.

CVE-2021-42550	6.6 (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)	In 
logback version 1.2.7 and prior versions, an attacker with the required 
privileges to edit configurations files could craft a malicious configuration 
allowing to execute arbitrary code loaded from LDAP servers.

CVE-2019-9518	7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)	Some 
HTTP/2 implementations are vulnerable to a flood of empty frames, potentially 
leading to a denial of service. The attacker sends a stream of frames with an 
empty payload and without the end-of-stream flag. These frames can be DATA, 
HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each 
frame disproportionate to attack bandwidth. This can consume excess CPU.

CVE-2016-4658	9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)	
xpointer.c in libxml2 before 2.9.5 (as used in Apple iOS before 10, OS X before 
10.12, tvOS before 10, and watchOS before 3, and other products) does not 
forbid namespace nodes in XPointer ranges, which allows remote attackers to 
execute arbitrary code or cause a denial of service (use-after-free and memory 
corruption) via a crafted XML document.

CVE-2021-31535	9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)	
LookupCol.c in X.Org X through X11R7.7 and libX11 before 1.7.1 might allow 
remote attackers to execute arbitrary code. The libX11 XLookupColor request 
(intended for server-side color lookup) contains a flaw allowing a client to 
send color-name requests with a name longer than the maximum size allowed by 
the protocol (and also longer than the maximum packet size for normal-sized 
packets). The user-controlled data exceeding the maximum size is then 
interpreted by the server as additional X protocol requests and executed, e.g., 
to disable X server authorization completely. For example, if the victim 
encounters malicious terminal control sequences for color codes, then the 
attacker may be able to take full control of the running graphical session.

CVE-2021-3177	9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)	Python 
3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, 
which may lead to remote code execution in certain Python applications that 
accept floating-point numbers as untrusted input, as demonstrated by a 1e300 
argument to c_double.from_param. This occurs because sprintf is used unsafely.

CVE-2021-35550	5.9 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)	
Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of 
Oracle Java SE (component: JSSE). Supported versions that are affected are Java 
SE: 7u311, 8u301, 11.0.12; Oracle GraalVM Enterprise Edition: 20.3.3 and 
21.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with 
network access via TLS to compromise Java SE, Oracle GraalVM Enterprise 
Edition. Successful attacks of this vulnerability can result in unauthorized 
access to critical data or complete access to all Java SE, Oracle GraalVM 
Enterprise Edition accessible data. Note: This vulnerability applies to Java 
deployments, typically in clients running sandboxed Java Web Start applications 
or sandboxed Java applets, that load and run untrusted code (e.g., code that 
comes from the internet) and rely on the Java sandbox for security. This 
vulnerability can also be exploited by using APIs in the specified Component, 
e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base 
Score 5.9 (Confidentiality impacts). CVSS Vector: 

CVE-2021-4034	7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)	A local 
privilege escalation vulnerability was found on polkit's pkexec utility. The 
pkexec application is a setuid tool designed to allow unprivileged users to run 
commands as privileged users according predefined policies. The current version 
of pkexec doesn't handle the calling parameters count correctly and ends trying 
to execute environment variables as commands. An attacker can leverage this by 
crafting environment variables in such a way it'll induce pkexec to execute 
arbitrary code. When successfully executed the attack can cause a local 
privilege escalation given unprivileged users administrative rights on the 
target machine.

CVE-2021-42771	7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)	
Babel.Locale in Babel before 2.9.1 allows attackers to load arbitrary locale 
.dat files (containing serialized Python objects) via directory traversal, 
leading to code execution.

CVE-2021-43527	9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)	NSS 
(Network Security Services) versions prior to 3.73 or 3.68.1 ESR are vulnerable 
to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures. 
Applications using NSS for handling signatures encoded within CMS, S/MIME, PKCS 
\https://supportportal.juniper.net/7, or PKCS 
\https://supportportal.juniper.net/12 are likely to be impacted. Applications 
using NSS for certificate validation or other TLS, X.509, OCSP or CRL 
functionality may be impacted, depending on how they configure NSS. *Note: This 
vulnerability does NOT impact Mozilla Firefox.* However, email clients and PDF 
viewers that use NSS for signature verification, such as Thunderbird, 
LibreOffice, Evolution and Evince are believed to be impacted. This 
vulnerability affects NSS < 3.73 and NSS < 3.68.1.

CVE-2021-45960	8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)	In 
Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the 
storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., 
allocating too few bytes, or only freeing memory).

CVE-2022-22822	9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)	
addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer 

CVE-2022-22823	9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)	
build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer 

CVE-2022-22824	9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)	
defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an 
integer overflow.

CVE-2022-23852	9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)	Expat 
(aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for 
configurations with a nonzero XML_CONTEXT_BYTES.

CVE-2022-25235	9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)	
xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of 
encoding, such as checks for whether a UTF-8 character is valid in a certain 

CVE-2022-25236	9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)	
xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert 
namespace-separator characters into namespace URIs.

CVE-2022-25315	9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)	In 
Expat (aka libexpat) before 2.4.5, there is an integer overflow in 


The following software releases have been updated to resolve these specific 
issues: Contrail Networking 2011.L5, and all subsequent releases.

Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of 
Engineering (EOE) or End of Life (EOL).

Software Releases, patches and updates are available at 

There are no known workarounds for these issues.

Severity Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common 
Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."

Modification History:

2022-10-12: Initial Publication.

Related Information:

    KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin 
Publication Process
    KB16765: In which releases are vulnerabilities fixed?
    KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security 
    Report a Security Vulnerability - How to Contact the Juniper Networks 
Security Incident Response Team

Last Updated: 2022-10-12
Created:      2022-10-12

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: https://auscert.org.au/gpg-key/