Juniper Networks addressed several vulnerabilities in its products, most of them can be exploited by attackers for denial-of-service (DoS) attacks. Half a dozen of the flaws are DoS issues that have been rated high severity.
The company published a list of security advisories to inform its customers of the vulnerabilities in its products. Some of the issues also affected third-party components, including OpenSSL, Intel firmware, Bouncy Castle, Java SE, Apache software, and others.
Most of the vulnerabilities impact Junos OS, other issues affect Juniper Secure Analytics, Junos Space and Junos Space Security Director.
One of the most severe flaws addressed by Juniper Networks is a double free issue, tracked as CVE-2020-1647, that can lead to DoS or remote code execution due to the processing of a specific HTTP message when ICAP redirect service is enabled. The flaw affects Junos OS 18.1, 18.2, 18.3, 18.4, 19.1, 19.2, 19.3.
Another critical vulnerability addressed by the company is CVE-2020-1654, it could be exploited to trigger a DoS condition or to execute arbitrary code remotely.
“On Juniper Networks SRX Series with ICAP (Internet Content Adaptation Protocol) redirect service enabled, processing a malformed HTTP message can lead to a Denial of Service (DoS) or Remote Code Execution (RCE)” reads the advisory.
“Continued processing of this malformed HTTP message may result in an extended Denial of Service (DoS) condition. The offending HTTP message that causes this issue may originate both from the HTTP server or the HTTP client.”
The good news is that Juniper Networks is not aware of any attacks exploiting the above vulnerabilities.
(SecurityAffairs – hacking, Juniper)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.