Other official information and services: www.belgium.be

Warning: Multiple vulnerabilities found in J-Web component of all versions of Junos OS

Referentie:

Advisory #2022-41

Versie:

1.0

Geïmpacteerde software:

All Junos OS versions prior to 19.1R3-S9

19.2 versions prior to 19.2R3-S6

19.3 versions prior to 19.3R3-S7

19.4 versions prior to 19.4R3-S9

20.1 versions prior to 20.1R3-S5

20.2 versions prior to 20.2R3-S5

20.3 versions prior to 20.3R3-S5

20.4 versions prior to 20.4R3-S4

21.1 versions prior to 21.1R3-S2

21.2 versions prior to 21.2R3-S1

21.3 versions prior to 21.3R3

21.4 versions prior to 21.4R3

22.1 versions prior to 22.1R2

Type:

Multiple

CVE/CVSS:

CVE-2022-22241 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVE-2022-22242 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVE-2022-22243 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

CVE-2022-22244 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVE-2022-22245 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)

CVE-2022-22246 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

Datum:

02/12/2022

Bronnen

https://supportportal.juniper.net/s/article/2022-10-Security-Bulletin-Junos-OS-Multiple-vulnerabilities-in-J-Web?language=en_US

Risico’s

One or more of the above vulnerabilities could lead to unauthorized local file access, cross-site scripting attacks, path injection and traversal, or local file inclusion upon successful exploitation.

CVE-2022-22241 requires an attacker to have remote network access to the Juniper appliance, is of high complexity, requires no privileges or user interaction, and has high impact on confidentiality, availability and integrity.

CVE-2022-22242 requires an attacker to have remote network access to the Juniper appliance, is of low complexity, requires no privileges, does require user interaction, and has low impact on confidentiality, low impact on integrity and no impact on availability.

CVE-2022-22243 requires an attacker to have remote network access to the Juniper appliance, is of low complexity, requires low privileges and no user interaction, and has low impact on confidentiality, no impact on integrity and availability.

CVE-2022-22244 requires an attacker to have remote network access to the Juniper appliance, is of low complexity, requires no privileges and no user interaction, and has low impact on confidentiality and no impact on integrity and availability.

CVE-2022-22245 requires an attacker to have remote network access to the Juniper appliance , is of low complexity, requires low privileges and no user interaction, and has no impact on confidentiality, low impact on integrity and no impact on availability.

CVE-2022-22246 requires an attacker to have remote network access to the Juniper appliance, is of high complexity, requires low privileges and no user interaction, and has high impact on confidentiality, integrity and availability.

Beschrijving

On the 12^th of October, networking provider Juniper Networks released a security advisory detailing multiple vulnerabilities found in the J-Web component of the Junos OS.

The J-Web interface is used to monitor, configure, troubleshoot and manage Juniper appliances via a web browser.

Aanbevolen acties

The Centre for Cyber Security Belgium recommends administrators of Juniper Networks appliances to check if their Junos OS versions are affected and update to a fixed version accordingly if the J-Web interface is enabled.

If updating to a fixed version is not immediately possible, a workaround is to disable J-Web functionality or limit access only to trusted hosts.