米コンピュータ緊急事態対策チーム(US-CERT: United States Computer Emergency Readiness Team)は1月13日、「Juniper Networks Releases Security Updates for Multiple Products|CISA」において、ジュニパーネットワークスの複数の製品に複数の脆弱性が存在すると伝えた。これら脆弱性を悪用されると、攻撃者によって影響を受けたシステムの制御権が乗っ取られる危険性があるとされている。
脆弱性に関する情報は次のページから辿ることができる。
ジュニパー製品の脆弱性は直近にリリースされたセキュリティアドバイザリだけでも34個あり、注意が必要。数が多いことから、該当する製品を使っているかどうか漏れのないように確認することが望まれる。
- 2022-01 Security Bulletin: Junos OS and Junos OS Evolved: After receiving a specific number of crafted packets snmpd will segmentation fault (SIGSEGV) requiring a manual restart. (CVE-2022-22177) - Juniper Networks
- 2022-01 Security Bulletin: Contrail Service Orchestration: Tenants able to see other tenants policies via REST API interface (CVE-2022-22152) - Juniper Networks
- 2022-01 Security Bulletin: SRX Series and MX Series with SPC3: A high percentage of fragments might lead to high latency or packet drops (CVE-2022-22153) - Juniper Networks
- 2022-01 Security Bulletin: Junos Fusion: A Satellite Device can be controlled by rewiring it to a foreign AD causing a DoS (CVE-2022-22154) - Juniper Networks
- 2022-01 Security Bulletin: Junos OS: ACX5448: FPC memory leak due to IPv6 neighbor flaps (CVE-2022-22155) - Juniper Networks
- 2022-01 Security Bulletin: Junos OS: Certificate validation is skipped when fetching system scripts from a HTTPS URL (CVE-2022-22156) - Juniper Networks
- 2022-01 Security Bulletin: Junos OS: SRX Series: Multiple vulnerabilities in traffic classification when 'no-syn-check' is enabled (CVE-2022-22157, CVE-2022-22167) - Juniper Networks
- 2022-01 Security Bulletin: Junos OS: An attacker sending crafted packets can cause a traffic and CPU Denial of Service (DoS). (CVE-2022-22159) - Juniper Networks
- 2022-01 Security Bulletin: Junos OS: MX Series: The bbe-smgd process crashes if an unsupported configuration exists and a PPPoE client sends a specific message (CVE-2022-22160) - Juniper Networks
- 2022-01 Security Bulletin: Junos OS: MX104 might become unresponsive if the out-of-band management port receives a flood of traffic (CVE-2022-22161) - Juniper Networks
- 2022-01 Security Bulletin: Junos OS: A low privileged user can elevate their privileges to the ones of the highest privileged j-web user logged in (CVE-2022-22162) - Juniper Networks
- 2022-01 Security Bulletin: Junos OS: jdhcpd crashes upon receipt of a specific DHCPv6 packet (CVE-2022-22163) - Juniper Networks
- 2022-01 Security Bulletin: Junos OS Evolved: Telnet service may be enabled when it is expected to be disabled. (CVE-2022-22164) - Juniper Networks
- 2022-01 Security Bulletin: Junos OS: An rpd core will occur if BGP update tracing is configured and an update containing a malformed BGP SR-TE policy tunnel attribute is received (CVE-2022-22166) - Juniper Networks
- 2022-01 Security Bulletin: Junos OS: vMX and MX150: Specific packets might cause a memory leak and eventually an FPC reboot (CVE-2022-22168) - Juniper Networks
- 2022-01 Security Bulletin: Junos OS and Junos OS Evolved: OSPFv3 session might go into INIT state upon receipt of multiple crafted packets from a trusted neighbor device. (CVE-2022-22169) - Juniper Networks
- 2022-01 Security Bulletin: Junos OS and Junos OS Evolved: Specific packets over VXLAN cause memory leak and/or FPC reset (CVE-2022-22170, CVE-2022-22171) - Juniper Networks
- 2022-01 Security Bulletin: Junos OS and Junos OS Evolved: An l2cpd memory leak can occur when specific LLDP packets are received leading to a DoS (CVE-2022-22172) - Juniper Networks
- 2022-01 Security Bulletin: Junos OS: CRL failing to download causes a memory leak and ultimately a DoS (CVE-2022-22173) - Juniper Networks
- 2022-01 Security Bulletin: Junos OS: QFX5000 Series, EX4600: Device may run out of memory, causing traffic loss, upon receipt of specific packets (CVE-2022-22174) - Juniper Networks
- 2022-01 Security Bulletin: MX Series and SRX Series: The flowd daemon will crash if the SIP ALG is enabled and specific SIP messages are processed (CVE-2022-22175) - Juniper Networks
- 2022-01 Security Bulletin: Junos OS: In a scenario with dhcp-security and option-82 configured jdhcpd crashes upon receipt of a malformed DHCP packet (CVE-2022-22176) - Juniper Networks
- 2022-01 Security Bulletin: MX Series and SRX series: Flowd core observed if the SIP ALG is enabled and a specific Session Initiation Protocol (SIP) packet is received (CVE-2022-22178) - Juniper Networks
- 2022-01 Security Bulletin: Junos OS: jdhcpd crashes upon receiving a specific DHCP packet (CVE-2022-22179) - Juniper Networks
- 2022-01 Security Bulletin: Junos OS: EX2300 Series, EX2300-MP Series, EX3400 Series: A slow memory leak due to processing of specific IPv6 packets (CVE-2022-22180) - Juniper Networks
- 2022-01 Security Bulletin: Junos Space: Multiple vulnerabilities resolved in 21.3R1 - Juniper Networks
- 2022-01 Security Bulletin: Junos OS: ACX5448: Multiple third party vulnerabilities resolved in 21.3R2 - Juniper Networks
- 2022-01 Security Bulletin: Junos OS Evolved: Multiple vulnerabilities in cURL resolved - Juniper Networks
- 2022-01 Security Bulletin: SBR Carrier: Multiple Vulnerabilities in OpenSSL - Juniper Networks
- 2022-01 Security Bulletin: SBR Carrier: Multiple Vulnerabilities in OpenSSL - Juniper Networks
- 2022-01 Security Bulletin: Junos Space Security Director Insights: NGINX allows HTTP request smuggling (CVE-2019-20372) - Juniper Networks
- 2022-01 Security Bulletin: Junos OS: OpenSSL Security Advisory [24 Aug 2021] - Juniper Networks
- 2022-01 Security Bulletin: Contrail Cloud: Multiple Vulnerabilities have been resolved in Contrail Cloud release 13.6.0 - Juniper Networks
- 2022-01 Security Bulletin: Contrail Networking: Multiple Vulnerabilities have been resolved in Contrail Networking release 2011 - Juniper Networks