複数のJuniper Networks製品に脆弱性、アップデートを

米コンピュータ緊急事態対策チーム（US-CERT: United States Computer Emergency Readiness Team）は7月15日(米国時間)、「Juniper Networks Releases Security Updates for Multiple Products｜CISA」において、Juniper Networksの複数の製品に複数の脆弱性が存在すると伝えた。これら脆弱性を悪用されると、攻撃者によって影響を受けたシステムの制御権が乗っ取られる危険性がある。

脆弱性に関する情報は次のページからたどることができる。

• Security Advisories - Juniper Networks

• Security Advisories - Juniper Networks

今回は多くの製品に対し、セキュリティアドバイザリが発行されており注意が必要。本稿執筆時点で、少なくとも次のセキュリティアドバイザリが発行されている。

• 2021-07 Security Bulletin: Junos OS: MX Series, EX9200 Series, SRX4600: Ethernet interface vulnerable to specially crafted frames (CVE-2021-0290) - Juniper Networks
• 2021-07 Security Bulletin: Junos OS and Junos OS Evolved: LLDP Out-of-Bounds Read vulnerability in l2cpd (CVE-2021-0277) - Juniper Networks
• 2021-07 Security Bulletin: Junos OS: FreeBSD-SA-17:09.shm : POSIX shm allows jails to access global namespace (CVE-2017-1087) - Juniper Networks
• 2021-07 Security Bulletin: Junos OS: FreeBSD-EN-18:11.listen: TCP during bind, listen or connect and UDP during bind may experience Denial of Service for IPv6 based sockets. (CVE-2018-6925) - Juniper Networks
• 2021-07 Security Bulletin: Junos OS Evolved: Authenticated denial of service in ntpd (CVE-2019-8936) - Juniper Networks
• 2021-07 Security Bulletin: Steel-Belted Radius Carrier Edition: Remote code execution vulnerability when EAP Authentication is configured. (CVE-2021-0276) - Juniper Networks
• 2021-07 Security Bulletin: Junos OS: J-Web allows a locally authenticated attacker to escalate their privileges to root. (CVE-2021-0278) - Juniper Networks
• 2021-07 Security Bulletin: Contrail Cloud: Hardcoded credentials for RabbitMQ service (CVE-2021-0279) - Juniper Networks
• 2021-07 Security Bulletin: Junos OS: PTX Series and QFX10K Series: Upon receipt of specific packets BFD sessions might flap due to DDoS policer implementation in Packet Forwarding Engine (CVE-2021-0280) - Juniper Networks
• 2021-07 Security Bulletin: Junos OS and Junos OS Evolved: Specific packets can trigger rpd crash when BGP Origin Validation is configured with RPKI (CVE-2021-0281) - Juniper Networks
• 2021-07 Security Bulletin: Junos OS: RPD crash while processing a specific BGP UPDATE when Multipath or add-path features are enabled (CVE-2021-0282) - Juniper Networks
• 2021-07 Security Bulletin: Junos OS: QFX 5000 Series: Continuous traffic destined to a device configured with MC-LAG leading to nodes losing their control connection which can impact traffic (CVE-2021-0285) - Juniper Networks
• 2021-07 Security Bulletin: Junos OS Evolved: Specially crafted packets may cause the AFT manager process to crash and restart (CVE-2021-0286) - Juniper Networks
• 2021-07 Security Bulletin: Junos OS and Junos OS Evolved: RPD could crash in SR-ISIS/MPLS environment due to a flap of a ISIS link in the network (CVE-2021-0287) - Juniper Networks
• 2021-07 Security Bulletin: Junos OS: MX Series, EX9200 Series: FPC may crash upon receipt of specific MPLS packet affecting Trio-based MPCs (CVE-2021-0288) - Juniper Networks
• 2021-07 Security Bulletin: Junos OS: User-defined ARP Policer isn't applied on Aggregated Ethernet (AE) interface until firewall process is restarted - Juniper Networks
• 2021-07 Security Bulletin: Junos OS and Junos OS Evolved: A vulnerability allows a network based unauthenticated attacker which sends a high rate of specific traffic to cause a partial Denial of Service (CVE-2021-0291) - Juniper Networks
• 2021-07 Security Bulletin: Junos OS Evolved: Memory leak in arpd or ndp processes can lead to Denial of Service (DoS) (CVE-2021-0292) - Juniper Networks
• 2021-07 Security Bulletin: Junos OS: Out-of-memory condition and crashes can occur after executing a certain CLI command repeatedly (CVE-2021-0293) - Juniper Networks
• 2021-07 Security Bulletin: Junos OS: QFX5000 Series and EX4600 Series: Enhanced storm control might not work leading to partial Denial of Service (CVE-2021-0294) - Juniper Networks
• 2021-07 Security Bulletin: Contrail Networking: Multiple Vulnerabilities have been resolved in Contrail Networking release 2011 - Juniper Networks
• 2021-07 Security Bulletin: CTPView: Multiple vulnerabilities resolved in CTPView 9.1R2 - Juniper Networks
• 2021-07 Security Bulletin: Juniper Secure Analytics: JSA Series: Multiple vulnerabilities resolved - Juniper Networks
• 2021-07 Security Bulletin: Junos OS: Upon receipt of specific sequences of genuine packets destined to the device the kernel will crash and restart (vmcore) (CVE-2021-0283, CVE-2021-0284) - Juniper Networks
• 2021-07 Security Bulletin: CTPView: Multiple vulnerabilities resolved in CTPView 7.3R7.1 (CVE-2016-2183, CVE-2016-6329) - Juniper Networks
• 2021-07 Security Bulletin: Juniper Contrail Insights: Multiple vulnerabilities resolved in release 3.2.12-a1 - Juniper Networks
• 2021-07 Security Bulletin: Junos OS: Multiple J-Web vulnerabilities resolved in Junos OS 21.2R1. - Juniper Networks
• 2021-07 Security Bulletin: Junos OS: Multiple J-Web vulnerabilities resolved. - Juniper Networks
• 2021-07 Security Bulletin: Junos OS Evolved: Multiple kernel vulnerabilities resolved - Juniper Networks
• 2021-07 Security Bulletin: Junos Space: Multiple vulnerabilities resolved in 21.2R1 - Juniper Networks
• 2021-07 Security Bulletin: Junos OS and Junos OS Evolved: Multiple vulnerabilities in cURL resolved - Juniper Networks
• 2021-07 Security Bulletin: Junos OS: QFX10K Series: Denial of Service (DoS) upon receipt of DVMRP packets received on multi-homing ESI in VXLAN. (CVE-2021-0295) - Juniper Networks

一部の脆弱性は深刻度が緊急（Critical）に分類されており注意が必要。米国土安全保障省サイバーセキュリティ・インフラストラクチャセキュリティ庁(CISA: Cybersecurity and Infrastructure Security Agency)は、ユーザおよび管理者に対して上記セキュリティ情報をチェックするとともに、必要に応じてアップデートを適用することを推奨している。