Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Juniper Networks Patches Dozens of Vulnerabilities

Juniper Networks has announced patches for dozens of vulnerabilities in Junos OS, Junos OS Evolved, and third-party components.

Juniper Networks has released patches for dozens of vulnerabilities in its Junos OS and Junos OS Evolved network operating systems, including multiple flaws in several third-party software components.

Fixes were announced for roughly a dozen high-severity security defects impacting components such as the packet forwarding engine (PFE), routing protocol daemon (RPD), routing engine (RE), kernel, and HTTP daemon.

According to Juniper, network-based, unauthenticated attackers can send malformed BGP packets or updates, specific HTTPS connection requests, crafted TCP traffic, and MPLS packets to trigger these bugs and cause denial-of-service (DoS) conditions.

Patches were also announced for multiple medium-severity issues affecting components such as PFE, RPD, PFE management daemon (evo-pfemand), command line interface (CLI), AgentD process, packet processing, flow processing daemon (flowd), and the local address verification API.

Successful exploitation of these vulnerabilities could allow attackers to cause DoS conditions, access sensitive information, gain full control of the device, cause issues for downstream BGP peers, or bypass firewall filters.

Juniper also announced patches for vulnerabilities affecting third-party components such as C-ares, Nginx, PHP, and OpenSSL.

The Nginx fixes resolve 14 bugs, including two critical-severity flaws that have been known for more than seven years (CVE-2016-0746 and CVE-2017-20005).

Juniper has patched these vulnerabilities in Junos OS Evolved versions 21.2R3-S8-EVO, 21.4R3-S9-EVO, 22.2R3-S4-EVO, 22.3R3-S3-EVO, 22.4R3-S3-EVO, 23.2R2-S2-EVO, 23.4R1-S2-EVO, 23.4R2-EVO, 24.2R1-EVO, 24.2R2-EVO, and all subsequent releases.

Advertisement. Scroll to continue reading.

Junos OS versions 21.2R3-S8, 21.4R3-S8, 22.1R3-S6, 22.2R3-S4, 22.3R3-S3, 22.4R3-S4, 23.2R2-S2, 23.4R1-S2, 23.4R1-S2, 23.4R2-S1, 24.2R1, and all subsequent releases also contain the fixes.

Juniper also announced patches for a high-severity command injection defect in Junos Space that could allow an unauthenticated, network-based attacker to execute arbitrary shell commands via crafted requests, and an OS command issue in OpenSSH.

The company said it was not aware of these vulnerabilities being exploited in the wild. Additional information can be found on Juniper Networks’ security advisories page.

Related: Jenkins Patches High-Impact Vulnerabilities in Server and Plugins

Related: Remote Code Execution, DoS Vulnerabilities Patched in OpenPLC

Related: F5 Patches High-Severity Vulnerabilities in BIG-IP, NGINX Plus

Related: GitLab Security Update Patches Critical Vulnerability

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Mike Byron has been named Chief Financial Officer (CFO) at Exabeam.

Ex-GitHub chief technology officer Mike Hanley has joined GM as CISO.

Network security and compliance assurance firm Titania has appointed Victoria Dimmick as CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.