Juniper Networks has released out-of-band updates to address high-severity flaws in the SRX and EX Series that could be exploited by a threat actor to take control of vulnerable systems.
Vulnerabilities, tracked as CVE-2024-21619 and CVE-2024-21620, are rooted in the J-Web component and affect all versions of the Junos OS. Two other flaws, CVE-2023-36846 and CVE-2023-36851, were previously reported by the company in August 2023.
- CVE-2024-21619 (CVSS Score: 5.3) – A missing authentication vulnerability that could lead to exposure of sensitive configuration information
- CVE-2024-21620 (CVSS Score: 8.8) – A cross-site scripting (XSS) vulnerability that could lead to execution of arbitrary commands with target permissions via a specially crafted request
Cybersecurity firm watchTowr Labs was credited with discovering and reporting the problems. The two vulnerabilities have been fixed in the following releases:
- CVE-2024-21619 – 20.4R3-S9, 21.2R3-S7, 21.3R3-S5, 21.4R3-S6, 22.1R3-S5, 22.2R3-S3, 22.3R3-S2, 22.4R3, 23.2R1-S2, 23.2R2, 23.4R1, and all subsequent versions
- CVE-2024-21620 – 20.4R3-S10, 21.2R3-S8, 21.4R3-S6, 22.1R3-S5, 22.2R3-S3, 22.3R3-S2, 22.4R3-S1, 23.2R2, 23.4R2 and all later versions
As a temporary mitigation until fixes are deployed, the company recommends users disable J-Web or limit access to only trusted hosts.
It is worth noting that both CVE-2023-36846 and CVE-2023-36851 were added to the Catalog of Known Exploited Vulnerabilities (KEVs) in November 2023 by the US Cybersecurity and Infrastructure Security Agency (CISA), based on evidence from active exploitation.
Earlier this month, Juniper Networks also deployed fixes to contain a critical vulnerability in the same products (CVE-2024-21591, CVSS score: 9.8) that could allow an attacker to cause a denial of service (DoS ) or remote code execution. and get root privileges on your device.