Juniper Networks has launched out-of-band updates to deal with high-severity flaws in SRX Sequence and EX Sequence that could possibly be exploited by a risk actor to take management of inclined techniques.
The vulnerabilities, tracked as CVE-2024-21619 and CVE-2024-21620, are rooted within the J-Internet part and affect all variations of Junos OS. Two different shortcomings, CVE-2023-36846 and CVE-2023-36851, have been beforehand disclosed by the corporate in August 2023.
- CVE-2024-21619 (CVSS rating: 5.3) – A lacking authentication vulnerability that would result in publicity of delicate configuration data
- CVE-2024-21620 (CVSS rating: 8.8) – A cross-site scripting (XSS) vulnerability that would result in the execution of arbitrary instructions with the goal’s permissions by way of a specifically crafted request
Cybersecurity agency watchTowr Labs has been credited with discovering and reporting the problems. The 2 vulnerabilities have been addressed within the following variations –
- CVE-2024-21619 – 20.4R3-S9, 21.2R3-S7, 21.3R3-S5, 21.4R3-S6, 22.1R3-S5, 22.2R3-S3, 22.3R3-S2, 22.4R3, 23.2R1-S2, 23.2R2, 23.4R1, and all subsequent releases
- CVE-2024-21620 – 20.4R3-S10, 21.2R3-S8, 21.4R3-S6, 22.1R3-S5, 22.2R3-S3, 22.3R3-S2, 22.4R3-S1, 23.2R2, 23.4R2, and all subsequent releases
As momentary mitigations till the fixes are deployed, the corporate is recommending that customers disable J-Internet or prohibit entry to solely trusted hosts.
It is value noting that each CVE-2023-36846 and CVE-2023-36851 have been added to the Identified Exploited Vulnerabilities (KEV) catalog in November 2023 by the U.S. Cybersecurity and Infrastructure Safety Company (CISA), based mostly on proof of energetic exploitation.
Earlier this month, Juniper Networks additionally shipped fixes to include a essential vulnerability in the identical merchandise (CVE-2024-21591, CVSS rating: 9.8) that would allow an attacker to trigger a denial-of-service (DoS) or distant code execution and procure root privileges on the gadgets.
