Networking, cloud and cybersecurity solutions provider Juniper Networks this week published advisories detailing tens of vulnerabilities found across its product portfolio, including critical bugs in third-party components of Junos OS and STRM.
One of the advisories addresses multiple critical-severity vulnerabilities in Expat (libexpat), a third-party stream-oriented XML parser library.
Juniper’s advisory details 15 Expat vulnerabilities resolved with the latest Junos OS releases, seven of which are rated ‘critical severity’ (CVSS score of 9.8). Although disclosed over the past two years, the flaws are not known to be exploited in malicious attacks.
Updates that address these vulnerabilities were released for Junos OS versions 19.4 to 22.2. Juniper recommends using access lists or firewall filters to reduce the risks associated with these bugs.
Juniper also announced that patches for CVE-2022-42889, a critical vulnerability in Apache Commons Text leading to remote code execution, were released for Security Threat Response Manager (STRM).
This week, the networking company also announced patches for multiple high-severity vulnerabilities impacting Junos OS and Junos OS Evolved, the most severe of which could lead to command injection and code execution.
Two high-severity flaws in Junos OS Evolved could allow a low-privileged local attacker to modify files or execute commands with root privileges, or execute administrative commands, respectively.
Multiple high-severity vulnerabilities addressed this week in Junos OS and Junos OS Evolved could allow an attacker to cause a denial-of-service (DoS) condition.
Juniper also resolved a severe bug in Paragon Active Assurance (formerly Netrounds) that could be exploited to bypass existing firewall rules and limitations.
Juniper has also announced patches for multiple medium-severity issues in Junos OS that could allow an attacker to cause a DoS condition, send packets that were intended to be dropped, access sensitive information, bypass an integrity check, cause traffic to be allowed through, or bypass console access controls.
Juniper makes no mention of any of these vulnerabilities being exploited in attacks. Additional details on the addresses flaws can be found on the Juniper Networks security advisories page.
Related: Juniper Networks Patches Over 200 Third-Party Component Vulnerabilities
Related: Juniper Networks Kicks Off 2023 With Patches for Over 200 Vulnerabilities
Related: Juniper Networks Patches Vulnerabilities in Contrail Networking, Junos OS