Connect with us

Hi, what are you looking for?



Juniper Networks Patches Critical Third-Party Component Vulnerabilities

Juniper Networks this week announced patches for tens of vulnerabilities across its product portfolio, including critical bugs in Junos OS and STRM.

Networking, cloud and cybersecurity solutions provider Juniper Networks this week published advisories detailing tens of vulnerabilities found across its product portfolio, including critical bugs in third-party components of Junos OS and STRM.

One of the advisories addresses multiple critical-severity vulnerabilities in Expat (libexpat), a third-party stream-oriented XML parser library.

Juniper’s advisory details 15 Expat vulnerabilities resolved with the latest Junos OS releases, seven of which are rated ‘critical severity’ (CVSS score of 9.8). Although disclosed over the past two years, the flaws are not known to be exploited in malicious attacks.

Updates that address these vulnerabilities were released for Junos OS versions 19.4 to 22.2. Juniper recommends using access lists or firewall filters to reduce the risks associated with these bugs.

Juniper also announced that patches for CVE-2022-42889, a critical vulnerability in Apache Commons Text leading to remote code execution, were released for Security Threat Response Manager (STRM).

This week, the networking company also announced patches for multiple high-severity vulnerabilities impacting Junos OS and Junos OS Evolved, the most severe of which could lead to command injection and code execution.

Two high-severity flaws in Junos OS Evolved could allow a low-privileged local attacker to modify files or execute commands with root privileges, or execute administrative commands, respectively.

Advertisement. Scroll to continue reading.

Multiple high-severity vulnerabilities addressed this week in Junos OS and Junos OS Evolved could allow an attacker to cause a denial-of-service (DoS) condition.

Juniper also resolved a severe bug in Paragon Active Assurance (formerly Netrounds) that could be exploited to bypass existing firewall rules and limitations.

Juniper has also announced patches for multiple medium-severity issues in Junos OS that could allow an attacker to cause a DoS condition, send packets that were intended to be dropped, access sensitive information, bypass an integrity check, cause traffic to be allowed through, or bypass console access controls.

Juniper makes no mention of any of these vulnerabilities being exploited in attacks. Additional details on the addresses flaws can be found on the Juniper Networks security advisories page.

Related: Juniper Networks Patches Over 200 Third-Party Component Vulnerabilities

Related: Juniper Networks Kicks Off 2023 With Patches for Over 200 Vulnerabilities

Related: Juniper Networks Patches Vulnerabilities in Contrail Networking, Junos OS

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.