Connect with us

Hi, what are you looking for?


Network Security

Juniper Networks Patches Over 60 Flaws in Junos, ATP Products

Juniper Networks this week released patches for more than 60 vulnerabilities in its Juniper Advanced Threat Prevention (ATP) appliance, Junos OS operating system, and Junos Space network management platform. Many of the security holes impact third-party components.

Juniper Networks this week released patches for more than 60 vulnerabilities in its Juniper Advanced Threat Prevention (ATP) appliance, Junos OS operating system, and Junos Space network management platform. Many of the security holes impact third-party components.

In Juniper ATP appliances, the company addressed 13 flaws, including persistent cross-site scripting (XSS), arbitrary command execution, hardcoded credentials, information disclosure, and unprotected credentials issues.

Three of the vulnerabilities fixed in ATP devices have been rated “critical,” including ones related to the existence of hardcoded credentials and the storage of Splunk credentials in a file that can be accessed by authenticated local users.

Another three flaws have been assigned a CVSS score between 7.0 and 8.9, which puts them in the “high” severity category. The list includes issues related to the insecure storage of keys used for critical operations in the WebUI interface, the logging of secret passphrase CLI inputs in clear text, and a remote command execution weakness in the XML-RPC server.

In the Junos OS operating system, which powers many of Juniper’s appliances, the company addressed eight vulnerabilities disclosed in the past three years in the libxml2 library, which is used for parsing XML documents. Many of these libxml2 flaws have been assigned “critical” and “high” severity ratings. They can be exploited for denial-of-service (DoS) attacks and other purposes.

Also in Junos OS, the company fixed two OpenSSL vulnerabilities patched by the OpenSSL Project last year.

Finally, Juniper patched nearly 40 vulnerabilities in Junos Space. Nine security holes – one rated “high” and the rest “medium” – have been resolved in version 18.3R1.

Advertisement. Scroll to continue reading.

The rest were fixed in version 18.4R1, including one critical bug that can lead to privilege escalation and arbitrary code execution. A majority of the vulnerabilities addressed in this version have a high severity.

A majority of the Junos Space vulnerabilities impact third-party components and they have been disclosed in 2017 and 2018. The impacted components include QEMU, the Linux kernel (including SegmentSmack), Intel CPUs (LazyFP and L1TF vulnerabilities), the glibc library, procps-ng utilities, libvirt, GnuPG, Samba, BIND, the Web-Dorado Instagram Feed WD plugin, yum-utils tools, the GlusterFS network filesystem, and Mozilla NSS (Network Security Services) libraries.

In addition to the patches released this week, workarounds and mitigations are also available for some of the impacted products.

Related: Juniper Patches Serious Flaws in Junos OS

Related: Juniper Confirms Leaked Implants Target Its Products

Related: DoS Vulnerability Affects Cisco, Juniper Products

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...