Juniper patches Logjam, Bar Mitzvah, and various Java vulns

Juniper Networks sysadmins can add Junos Space network management patches to their to-do list.

The gin palace says “any product or platform running Junos Space before 15.2R1” has the privilege escalation vulnerabilities, adding that “Attack vectors include: cross site request forgeries (CSRF), default authentication credentials, information leak and command injection”.

The remotely-exploitable bugs, turned up by the company's internal code review, include six vectors inherited from Oracle's Java SE (CVE-2015-4748, CVE-2015-2601, CVE-2015-2613, CVE-2015-4749, CVE-2015-2625 and CVE-2015-2659). These have been fixed with an upgrade to the Oracle Java runtime, to 1.7.0 update 85.

The company also discovered that Space still had an RC4 implementation that was vulnerable to last year's Bar Mitzvah attack, and a TLS implementation subject to Logjam.

The vulnerabilities have been cleaned up in Junos Space 15.2R1, which first shipped in March 2016.

Juniper adds that Junos Space should only be accessible from trusted networks, and should run on “jump boxes” without direct Internet access. ®