Published on 19 Sep 2023 | Updated on 20 Sep 2023
Juniper Networks had released a security update to address a series of five vulnerabilities in the J-Web component of Junos OS. When chained together, these vulnerabilities have a Common Vulnerability Scoring System (CVSSv3) score of 9.8 out of 10.
Successful chained exploitation of the vulnerabilities could allow an unauthenticated attacker to remotely execute code on the vulnerable devices. These vulnerabilities are reportedly being actively exploited as part of an exploit chain.
Details of the vulnerabilities are as follows:
The vulnerabilities affect the following versions of Junos OS on SRX (for firewalls) and EX (for switches) Series:
| Juniper Networks Junos OS on SRX Series | All versions prior to 20.4R3-S8 21.1 version 21.1R1 and later versions 21.2 versions prior to 21.2R3-S6 21.3 versions prior to 21.3R3-S5 21.4 versions prior to 21.4R3-S5 22.1 versions prior to 22.1R3-S3 22.2 versions prior to 22.2R3-S2 22.3 versions prior to 22.3R2-S2, 22.3R3 22.4 versions prior to 22.4R2-S1, 22.4R3 |
| Juniper Networks Junos OS on EX Series | All versions prior to 20.4R3-S8 21.1 version 21.1R1 and later versions 21.2 versions prior to 21.2R3-S6 21.3 versions prior to 21.3R3-S5 21.4 versions prior to 21.4R3-S4 22.1 versions prior to 22.1R3-S3 22.2 versions prior to 22.2R3-S1 22.3 versions prior to 22.3R2-S2, 22.3R3 22.4 versions prior to 22.4R2-S1, 22.4R3 |
Users and administrators of affected product versions are advised to update to the latest version immediately.
More information is available here:
https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution
https://www.bleepingcomputer.com/news/security/thousands-of-juniper-devices-vulnerable-to-unauthenticated-rce-flaw/