Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Juniper Networks Patches Dozens of Vulnerabilities

Juniper Networks has announced patches for dozens of vulnerabilities in Junos OS, Junos OS Evolved, and third-party components.

Juniper Networks has released patches for dozens of vulnerabilities in its Junos OS and Junos OS Evolved network operating systems, including multiple flaws in several third-party software components.

Fixes were announced for roughly a dozen high-severity security defects impacting components such as the packet forwarding engine (PFE), routing protocol daemon (RPD), routing engine (RE), kernel, and HTTP daemon.

According to Juniper, network-based, unauthenticated attackers can send malformed BGP packets or updates, specific HTTPS connection requests, crafted TCP traffic, and MPLS packets to trigger these bugs and cause denial-of-service (DoS) conditions.

Patches were also announced for multiple medium-severity issues affecting components such as PFE, RPD, PFE management daemon (evo-pfemand), command line interface (CLI), AgentD process, packet processing, flow processing daemon (flowd), and the local address verification API.

Successful exploitation of these vulnerabilities could allow attackers to cause DoS conditions, access sensitive information, gain full control of the device, cause issues for downstream BGP peers, or bypass firewall filters.

Juniper also announced patches for vulnerabilities affecting third-party components such as C-ares, Nginx, PHP, and OpenSSL.

The Nginx fixes resolve 14 bugs, including two critical-severity flaws that have been known for more than seven years (CVE-2016-0746 and CVE-2017-20005).

Juniper has patched these vulnerabilities in Junos OS Evolved versions 21.2R3-S8-EVO, 21.4R3-S9-EVO, 22.2R3-S4-EVO, 22.3R3-S3-EVO, 22.4R3-S3-EVO, 23.2R2-S2-EVO, 23.4R1-S2-EVO, 23.4R2-EVO, 24.2R1-EVO, 24.2R2-EVO, and all subsequent releases.

Advertisement. Scroll to continue reading.

Junos OS versions 21.2R3-S8, 21.4R3-S8, 22.1R3-S6, 22.2R3-S4, 22.3R3-S3, 22.4R3-S4, 23.2R2-S2, 23.4R1-S2, 23.4R1-S2, 23.4R2-S1, 24.2R1, and all subsequent releases also contain the fixes.

Juniper also announced patches for a high-severity command injection defect in Junos Space that could allow an unauthenticated, network-based attacker to execute arbitrary shell commands via crafted requests, and an OS command issue in OpenSSH.

The company said it was not aware of these vulnerabilities being exploited in the wild. Additional information can be found on Juniper Networks’ security advisories page.

Related: Jenkins Patches High-Impact Vulnerabilities in Server and Plugins

Related: Remote Code Execution, DoS Vulnerabilities Patched in OpenPLC

Related: F5 Patches High-Severity Vulnerabilities in BIG-IP, NGINX Plus

Related: GitLab Security Update Patches Critical Vulnerability

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Jared Bartel has been named CISO at Idaho State University.

Automated phishing protection and scam prevention company Bolster has appointed Rod Schultz as CEO.

Bugcrowd has appointed Trey Ford as CISO for the Americas.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.