Juniper Networks has patched critical-rated bugs in its Junos Space, Contrail Networking and NorthStar Controller products. CISA flagged a caution for patching these flaws as soon as possible
The advisory collectively rated 31 Junos Space bugs as critical, the vulns affect several third-party products including nginx resolver, Oracle Java SE, OpenSSH, Samba, the RPM package manager, Kerberos, OpenSSL, the Linux kernel, curl, and MySQL Server.
One of the bug tracked as CVE-2021-23017 in nginx resolver, with CVSS severity score of 9.4 and if exploited could allow an attacker to crash the entire system.
It also issued an alert about critical vulnerabilities in Junos Space Security Director Policy Enforcer with CVSS of 9.8 which provides centralized threat management and monitoring for software-defined networks affecting versions prior to 22.R1 but noted that it’s not aware of any malicious exploitation of these critical bugs.
The next group of critical vulnerabilities exist in third-party software used in the Contrail Networking product. More than 100 CVEs that go back to 2013 are addressed with patches.
Upgrading to release 21.4.0 fixes the Open Container Initiative-compliant Red Hat Universal Base Image container image from Red Hat Enterprise Linux 7 to Red Hat Enterprise Linux 8.
Juniper also fixed a RCE bug, tracked as CVE-2021-23017, that affects its NorthStar Controller product with a 9.4 CVSS score that persisted in nginx resolver if exploited could allow an unauthenticated, remote attacker to forge UDP packets from the DNS server to again cause a one-byte memory overwrite that could result in crashing the process or arbitrary code execution. Upgrading nginx from 1.18.0 to 1.20.1 fixed this issue.
Juniper also issued 24 that it deemed high severity for products including Junos OS, Secure Analytics, Identity Management Service, Paragon Active Assurance and Contrail Networking product lines. The Junos OS bug, for instance, can be abused by a logged-in low-level user to gain total control of the system.