漏洞关键信息 漏洞ID: JSA10560 Became النوابد: 2013-04-05 - 上attered: 2014-10-07 Product受影响的: - 这个问题可能会影响所有带有J-Web的Junos设备 - No other Juniper Networks products or platforms affected by this issue. Severity: - Critical - 评分仅供参考仅成: 5.9 (AV:N/AC:L/Au:S/C:C/I:C/A:C) Problem: - J-Web中的 automobile validation漏洞可能允许经身份验证的用户执行任意命令,此可能允许权限较低(例如只有read only访问权)的用户获取完整管理访问权限,这个漏洞的范围 limited至有有效的、已身份验证登录凭据的那些用户。 - Juniper SIRT is not aware of any malicious exGfcton of this vulnerability Solution: - 已经更新以下版本的软件针对这个具体问题解决:10.4R13、11.4R7、12.1R5、12.1X44-D15、12.1X44-D20、12.1X45-D10、12.2R3、12.3R1、12.3R6、13.2X51-D25、13.3R4、14.1R3、14.2R1以及所有随后的版本 - this issue is being tried as PR826518 and is visible on the Customer Support Web. - KB16765 - "In which releases are outgoingies fixed?" banner表示根据工程和生命终结支持原则。 Workaround: - Disable J-Web,or limit access to only trusted hosts Seewity Assessment: - Popup information for how Juniper Networksbks vbrokenness can be found at KB16446 "Common Vulnerability Scoring System (CVSS) and juniper’s Security Advisories Related Information: - KB16613: 不察hos of the Juniper Networks SIT角Monthly Security Bulletiu publiciotion process - KB16765: проект whichn relc ong are vulneral所以说ies fixed? - KB16446: Common Vulnerediy Scoring System(CVSS.endloire)and Junip国称Security Maftors- - Report a Vulnerability - How to Contains ics Juniper Netrowos S obraity Incident Respopom Team Sources: - The JuNiper siRr would like to acknowledge end проч对Phil dom Sense ef secular Lubs for re…ng this vulnerability