Juniper Networks has hastily released updates to address critical vulnerabilities in SRX Series and EX Series, posing a potential risk of exploitation by malicious actors to seize control of vulnerable systems.
The identified vulnerabilities, assigned CVE-2024-21619 and CVE-2024-21620, are inherent to the J-Web component, impacting all versions of Junos OS. Additionally, two previously disclosed shortcomings, CVE-2023-36846 and CVE-2023-36851, were acknowledged by the company in August 2023.
CVE-2024-21619 (CVSS score: 5.3) – A vulnerability involving missing authentication, potentially leading to the exposure of sensitive configuration information.
CVE-2024-21620 (CVSS score: 8.8) – A cross-site scripting (XSS) vulnerability with the potential to execute arbitrary commands within the target’s permissions through a specifically crafted request.
The cybersecurity firm watchTowr Labs is credited with discovering and reporting these issues. The company has addressed both vulnerabilities in the following Junos OS versions:
For CVE-2024-21619: 20.4R3-S9, 21.2R3-S7, 21.3R3-S5, 21.4R3-S6, 22.1R3-S5, 22.2R3-S3, 22.3R3-S2, 22.4R3, 23.2R1-S2, 23.2R2, 23.4R1, and all subsequent releases.
For CVE-2024-21620: 20.4R3-S10, 21.2R3-S8, 21.4R3-S6, 22.1R3-S5, 22.2R3-S3, 22.3R3-S2, 22.4R3-S1, 23.2R2, 23.4R2, and all subsequent releases.
As a temporary measure until the fixes are deployed, Juniper Networks recommends users disable J-Web or restrict access to only trusted hosts.