CISA Issues Alert for Juniper Secure Analytics Vulnerabilities

In a recent alert, the Cybersecurity and Infrastructure Security Agency (CISA) highlighted that Juniper has issued security updates to resolve several vulnerabilities in the Juniper Secure Analytics Virtual Appliance. This Security Information and Event Management (SIEM) system compiles extensive event data in near real-time, designed specifically for virtualized IT and cloud environments.

The vulnerabilities, identified through external security research, exhibit varying severity levels, including critical and high-severity issues. The agency warns that threat actors could exploit any of these vulnerabilities to take control of an affected system. Consequently, it urges organizations to swiftly identify and address these potential risks.

Which Versions of Juniper Secure Analytics Are Affected?

The vulnerabilities affect Juniper Secure Analytics (JSA) Series Virtual Appliance in all versions up to 7.5.0 UP7. Juniper has released JSA 7.5.0 UP7 IF03 to address these vulnerabilities.

Juniper’s advisory highlights two vulnerabilities of critical severity:

CVE-2023-46604 (CVSS Score: 9.8) Vulnerability Summary: The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution (RCE). An attacker, with network access to a Java-based OpenWire broker or client, can exploit this flaw to execute arbitrary shell commands.

CVE-2023-40787 (CVSS Score: 9.8) Vulnerability Summary: In SpringBlade V3.6.0, a critical SQL injection vulnerability occurs when user-submitted parameters lack essential quotation marks during SQL query execution.

As of now, there is no evidence of any exploitation activity targeting Juniper instances through these vulnerabilities, according to Juniper SIRT.

Among the vulnerabilities listed in the advisory, seven are classified as high-severity. Notably, one of these high-severity vulnerabilities is related to a previously discovered issue known as the Rapid Reset attack:

CVE-2023-44487 (CVSS Score: 7.5): The HTTP/2 protocol is susceptible to a Denial-of-Service exploit, causing server resource consumption. This vulnerability, observed in the wild from August to October 2023, enables the quick reset of multiple streams through request cancellation.