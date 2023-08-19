Networking hardware company Juniper Networks has released an “out-of-cycle” security update to address multiple vulnerabilities in the J-Web component of Junos OS. These flaws have a cumulative CVSS rating of 9.8, making them Critical in severity. They affect all versions of Junos OS on SRX and EX Series.

According to Juniper Networks, these vulnerabilities could be chained together to allow an unauthenticated, network-based attacker to remotely execute code on vulnerable devices. The J-Web interface, which is used to configure, manage, and monitor Junos OS devices, is specifically affected by these vulnerabilities.

The specific vulnerabilities are as follows:

– Two PHP external variable modification vulnerabilities (CVE-2023-36844 and CVE-2023-36845) allow an unauthenticated attacker to control certain PHP environment variables.

– Two missing authentications for critical function vulnerabilities (CVE-2023-36846 and CVE-2023-36847) allow an unauthenticated attacker to cause limited impact to the file system integrity.

To exploit these vulnerabilities, a threat actor could send a specially crafted request to modify PHP environment variables or upload arbitrary files via J-Web without authentication.

Juniper Networks has released updates addressing these vulnerabilities for the affected versions of Junos OS on EX Series and SRX Series devices. Users are advised to apply these fixes to mitigate potential remote code execution threats. As a temporary workaround, Juniper Networks suggests disabling J-Web or restricting access to trusted hosts only.

Protecting network security is crucial, and it is essential for users to stay updated with security patches and recommendations from their network hardware providers. Stay informed and follow us on Twitter and LinkedIn for more exclusive content.