Juniper Networks has launched out-of-band updates to deal with high-severity flaws in SRX Collection and EX Collection that might be exploited by a menace actor to take management of prone programs.
The vulnerabilities, tracked as CVE-2024-21619 and CVE-2024-21620, are rooted within the J-Net part and affect all variations of Junos OS. Two different shortcomings, CVE-2023-36846 and CVE-2023-36851, had been beforehand disclosed by the corporate in August 2023.
- CVE-2024-21619 (CVSS rating: 5.3) – A lacking authentication vulnerability that might result in publicity of delicate configuration data
- CVE-2024-21620 (CVSS rating: 8.8) – A cross-site scripting (XSS) vulnerability that might result in the execution of arbitrary instructions with the goal’s permissions by the use of a specifically crafted request
Cybersecurity agency watchTowr Labs has been credited with discovering and reporting the problems. The 2 vulnerabilities have been addressed within the following variations –
- CVE-2024-21619 – 20.4R3-S9, 21.2R3-S7, 21.3R3-S5, 21.4R3-S6, 22.1R3-S5, 22.2R3-S3, 22.3R3-S2, 22.4R3, 23.2R1-S2, 23.2R2, 23.4R1, and all subsequent releases
- CVE-2024-21620 – 20.4R3-S10, 21.2R3-S8, 21.4R3-S6, 22.1R3-S5, 22.2R3-S3, 22.3R3-S2, 22.4R3-S1, 23.2R2, 23.4R2, and all subsequent releases
As short-term mitigations till the fixes are deployed, the corporate is recommending that customers disable J-Net or limit entry to solely trusted hosts.
It is value noting that each CVE-2023-36846 and CVE-2023-36851 had been added to the Recognized Exploited Vulnerabilities (KEV) catalog in November 2023 by the U.S. Cybersecurity and Infrastructure Safety Company (CISA), based mostly on proof of energetic exploitation.
Earlier this month, Juniper Networks additionally shipped fixes to include a essential vulnerability in the identical merchandise (CVE-2024-21591, CVSS rating: 9.8) that might allow an attacker to trigger a denial-of-service (DoS) or distant code execution and procure root privileges on the gadget.
