CISA advised users and administrators to apply recently released fixes in Juniper Networks products due to several critical vulnerabilities and stated, “An attacker could exploit some of these vulnerabilities to take control of an affected system.”
The affected products are listed as:
- Juniper Networks Junos Space versions before 22.1R1
- Junos Space Policy Enforcer before version 22.1R1 (CentOS 6.8)
- NorthStar Controller versions before 5.1.0 Service Pack 6 and 6 versions before 6.2.2
- Juniper Networks Contrail Networking versions before 21.4.0
All security updates can be found on Juniper Networks’ Security Advisory and the software patches along with updates on the Software Downloads page.
Affected Juniper Networks Products
Thirty-one critical flaws in Junos Space are patched, which were discovered in various third-party products, including Nginx resolver, Oracle Java SE, OpenSSH, RPM package manager, Samba, OpenSSL, Kerberos, MySQL Server, curl, and the Linux kernel.
The most critical vulnerability in Junos Space is CVE-2021-23017, with a 9.4 CVSS score. It’s a vulnerability in the Nginx resolver. An attacker who can forge UDP packets from the DNS server could cause 1-byte memory overwrite and crash worker process.
There are several known vulnerabilities in CentOS 6.8, which were distributed with Junos Space Policy Enforcer before version 22.1R1. Juniper Network’s SIRT hasn’t discovered any exploitation of this vulnerability.
The Northstar Controller has been patched in versions 5.1.0 Service Pack 6 and 6.2.2 for the same security flaw (CVE-2021-23017).
Juniper Networks Contrail Networking
There are also 166 security flaws in its Contrail Networking product that affect all versions before 21.4.0 and have been assigned the maximum CVSS score of 10.0. Several integer overflows in libgfortran, listed as CVE-2014-5044, can be used by remote attackers to run arbitrary code or bring down a Fortran application via vectors related to array allocation.