The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Juniper Integrated Security Gateway

vulnerability CVE-2018-0059

Juniper ScreenOS: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Juniper ScreenOS, in order to run JavaScript code in the context of the web site.
Impacted products: Juniper ISG, SSG, NetScreen Firewall, ScreenOS.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 11/10/2018.
Identifiers: CERTFR-2018-AVI-487, CVE-2018-0059, JSA10894, VIGILANCE-VUL-27480.

Description of the vulnerability

The Juniper ScreenOS product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Juniper ScreenOS, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2018-0014

ScreenOS: information disclosure via Etherleak

Synthesis of the vulnerability

A local attacker can read a memory fragment via Etherleak of ScreenOS, in order to obtain sensitive information.
Impacted products: Juniper ISG, SSG, NetScreen Firewall, ScreenOS.
Severity: 1/4.
Consequences: data reading.
Provenance: LAN.
Creation date: 11/01/2018.
Identifiers: CVE-2018-0014, JSA10841, VIGILANCE-VUL-25021.

Description of the vulnerability

A local attacker can read a memory fragment via Etherleak of ScreenOS, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2017-2335 CVE-2017-2336 CVE-2017-2337

ScreenOS: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of ScreenOS, in order to run JavaScript code in the context of the web site.
Impacted products: Juniper ISG, SSG, NetScreen Firewall, ScreenOS.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 5.
Creation date: 12/07/2017.
Identifiers: CERTFR-2017-AVI-212, CVE-2017-2335, CVE-2017-2336, CVE-2017-2337, CVE-2017-2338, CVE-2017-2339, JSA10782, VIGILANCE-VUL-23235.

Description of the vulnerability

An attacker can trigger a Cross Site Scripting of ScreenOS, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2016-8610

OpenSSL: denial of service via SSL3_AL_WARNING

Synthesis of the vulnerability

An attacker can send SSL3_AL_WARNING packets to an SSLv3 application linked to OpenSSL, in order to trigger a denial of service.
Impacted products: OpenOffice, Debian, Fedora, FreeBSD, FreeRADIUS, hMailServer, HP Switch, AIX, IRAD, Security Directory Server, Tivoli Storage Manager, Tivoli Workload Scheduler, Juniper ISG, Juniper J-Series, Junos OS, SSG, SRX-Series, Meinberg NTP Server, NetScreen Firewall, ScreenOS, OpenSSL, openSUSE Leap, Oracle DB, Oracle Fusion Middleware, Oracle Identity Management, Solaris, WebLogic, Palo Alto Firewall PA***, PAN-OS, pfSense, Pulse Connect Secure, RHEL, JBoss EAP by Red Hat, Shibboleth SP, Splunk Enterprise, stunnel, SUSE Linux Enterprise Desktop, SLES, Ubuntu, WinSCP.
Severity: 2/4.
Consequences: denial of service on server, denial of service on service.
Provenance: internet client.
Creation date: 24/10/2016.
Identifiers: 1996096, 2000095, 2003480, 2003620, 2003673, 2004940, 2009389, bulletinoct2016, cpujul2019, CVE-2016-8610, DLA-814-1, DSA-3773-1, FEDORA-2017-3451dbec48, FEDORA-2017-e853b4144f, FreeBSD-SA-16:35.openssl, HPESBHF03897, JSA10808, JSA10809, JSA10810, JSA10811, JSA10813, JSA10814, JSA10816, JSA10817, JSA10818, JSA10820, JSA10821, JSA10822, JSA10825, openSUSE-SU-2017:0386-1, openSUSE-SU-2017:0487-1, openSUSE-SU-2018:4104-1, PAN-SA-2017-0017, pfSense-SA-17_03.webgui, RHSA-2017:0286-01, RHSA-2017:0574-01, RHSA-2017:1548-01, RHSA-2017:1549-01, RHSA-2017:1550-01, RHSA-2017:1551-01, RHSA-2017:1552-01, RHSA-2017:1658-01, RHSA-2017:1659-01, RHSA-2017:2493-01, RHSA-2017:2494-01, SA40886, SP-CAAAPUE, SPL-129207, SUSE-SU-2017:0304-1, SUSE-SU-2017:0348-1, SUSE-SU-2018:0112-1, SUSE-SU-2018:3864-1, SUSE-SU-2018:3864-2, SUSE-SU-2018:3964-1, SUSE-SU-2018:3994-1, SUSE-SU-2018:4068-1, SUSE-SU-2018:4274-1, SUSE-SU-2019:1553-1, USN-3181-1, USN-3183-1, USN-3183-2, VIGILANCE-VUL-20941.

Description of the vulnerability

The OpenSSL product implements the SSL version 3 protocol.

The SSL3_AL_WARNING message is used to send an alert of level Warning. However, when these packets are received during the handshake, the library consumes 100% of CPU.

An attacker can therefore send SSL3_AL_WARNING packets to an SSLv3 application linked to OpenSSL, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.