Security Advisory

Juniper Networks Family of Products (Session Smart Router, Conductor, Junos OS, etc.) Security Update Advisory (CVE-2024-2973, CVE-2024-21586)

  • Jul 02 2024

Overview

An update has been made available to fix vulnerabilities in Session Smart Router, Conductor, and Junos OS from Juniper Networks(https://supportportal.juniper.net/ ). users of affected versions are advised to update to the latest version.
 

Affected Products

Juniper Networks Session Smart Router, Juniper Networks Session Smart Conductor

  • All versions below 5.6.15
  • 6.0 (inclusive) ~ 6.1.9-lts (excluded)
  • 6.2 (inclusive) ~ 6.2.5-STS (excluded)

 

Juniper Networks WAN Assurance Router

  • 6.0 (inclusive) ~ 6.1.9-LTS (excluded)
  • 6.2 (inclusive) ~ 6.2.5-STS (excluded)

 

Juniper Networks Junos OS

  • Any version of 21.4 prior to 21.4R3-S7.9
  • Any version of 22.1 prior to 22.1R3-S5.3
  • Any version of 22.2 prior to 22.2R3-S4.11
  • Any version of 22.3 prior to 22.3R3
  • Any version of 22.4 prior to 22.4R3

 

Resolved Vulnerabilities

Authentication bypass using an alternate path or channel vulnerability in Juniper Networks Session Smart Router or Conductor, when running with a redundant peer, could allow a network-based attacker to bypass authentication and take full control of the device (CVE-2024-2973)

This vulnerability only affects Routers or Conductors running in a high-availability redundant configuration.

Vulnerability in Juniper Networks SRX Series in Junos OS due to improper checking for abnormal or exceptional conditions in the Packet Forwarding Engine (PFE) (CVE-2024-21586)

This vulnerability affects only the Junos OS SRX Series.

* Versions on or below 21.4R1 are not affected by this vulnerability.

Vulnerability Patches

Vulnerability patches were made available in the June 28, 2024 update. users of affected products are advised to update to the latest Vulnerability Patches version: (CVE-2024-2973)

Vulnerability Patches were made available in the July 1, 2024 update. users of affected products should update to the latest Vulnerability Patches version: (CVE-2024-21586)

 

Juniper Networks Session Smart Router, Juniper Networks WAN Assurance Router

  • 5.6.15, 6.1.9, 6.2.5 and later versions

 

Juniper Networks Session Smart Conductor

  • 5.6.15, 6.1.9, 6.2.5 and later versions
  • Conductor node upgrades

 

Juniper Networks Junos OS

  • 21.4R3-S7.9, 22.1R3-S5.3, 22.2R3-S4.11, 22.3R3, 22.4R3, 23.2R1, and all subsequent releases

 

Referenced Sites

[1] CVE-2024-2973 Detail

https://nvd.nist.gov/vuln/detail/cve-2024-2973

[2] 2024-06: Out-Of-Cycle Security Bulletin: Session Smart Router (SSR): On redundant router deployments API authentication can be bypassed (CVE-2024-2973)

https://supportportal.juniper.net/s/article/2024-06-Out-Of-Cycle-Security-Bulletin-Session-Smart-Router-SSR-On-redundant-router-deployments-API-authentication-can-be-bypassed-CVE-2024-2

[3] CVE-2024-21586 Detail

https://nvd.nist.gov/vuln/detail/CVE-2024-21586

[3] 2024-07 Out-of-Cycle Security Bulletin: Junos OS: SRX Series: Specific valid traffic leads to a PFE crash (CVE-2024-21586)

https://supportportal.juniper.net/s/article/2024-07-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-Specific-valid-traffic-leads-to-a-PFE-crash-CVE-2024-21586?language=en_US

Tags:

Previous Post

Next Post