Vulnerability

Junos J-Web vulnerabilities

This live blog contains information regarding the Junos J-Web vulnerability. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on October 31, 2022.

T-Update

Information about vulnerabilities

Update October 31, 2022

17:30 | On the 12th of October 2022, Juniper Networks published a security bulletin describing six different vulnerabilities in the J-Web interface of Juniper Networks Junos. The most severe vulnerability allows an unauthenticated remote attacker to execute arbitrary code. Last week Friday on the 28th of October 2022, research company Octagon Networks has published more details regarding the six vulnerabilities.

Currently, no public exploit code is available and there are no reports on exploitation of the vulnerabilities in the wild. However, with the details provided by the blog of Octagon Networks, it is likely that exploits will be developed.

Juniper Networks has published security updates and workarounds to mitigate the vulnerabilities in Junos. It is highly recommended to apply these updates or workarounds.

‍

Customized cyber security

Background

The most severe vulnerability allows an unauthenticated remote attacker to execute arbitrary code. Additionally, several of the other vulnerabilities might be combined to increase chance and the impact of exploitation. Currently, there are no reports on exploitation in the wild and there is no publicly available proof-of-concept code for any of the six vulnerabilities. Although, this might change based on the details published in the blog by Octagon Networks.

Risk

Juniper Networks published six vulnerabilities in the J-Web interface of Juniper Networks Junos in its security bulletin. Octagon Networks has analysed and described all six vulnerabilities and developed proof-of-concept exploit code, which they have decided not to publish yet.

An overview of the vulnerabilities can be found in the table below.


CVE-number	Description	CVSS score	EPSS score
CVE-2022-22241	Remote pre-authenticated Phar Deserialization to RCE	9,8	0,00885
CVE-2022-22242	Pre-authenticated reflected XSS on the error page.	6,1	0,00885
CVE-2022-22243	XPATH Injection in jsdm/ajax/wizards/setup/setup.php	4,3	0,00885
CVE-2022-22244	XPATH Injection in send_raw() method	5,3	0,00885
CVE-2022-22245	Path traversal during file upload leads to RCE	4,3	0,00885
CVE-2022-22246	PHP file include /jrest.php	8,8	0,00885

The current EPSS scores show a low chance of exploitation. However, this is expected to change based on the blog of Octagon Networks and the development of public proof-of-concept code. Additionally, several vulnerabilities might be combined, increasing the likelihood and impact of exploitation.

Juniper Networks published software patches and two possible workarounds. It is strongly advised to upgrade to one of the following software versions, in which the vulnerabilities are solved:

19.1 – 19.1R3-S9 or later;
19.2 – 19.2R3-S6 or later;
19.3 – 19.3R3-S7 or later;
19.4 – 19.4R3-S9 or later;
20.1 – 20.1R3-S5 or later;
20.2 – 20.2R3-S5 or later;
20.3 – 20.3R3-S5 or later;
20.4 – 20.4R3-S4 or later;
21.1 – 21.1R3-S2 or later;
21.2 – 21.2R3-S1 or later;
21.3 – 21.3R3 or later;
21.4 – 21.4R3 or later;
22.1 – 22.1R2 or later;
22.2 – 22.2R1 or later.

‍

Advice

Sources

More information:

Octagon Networks Blog – https://octagon.net/blog/2022/10/28/juniper-sslvpn-junos-rce-and-multiple-vulnerabilities/
Juniper Security Bulletin – https://supportportal.juniper.net/s/article/2022-10-Security-Bulletin-Junos-OS-Multiple-vulnerabilities-in-J-Web?language=en_US
NCSC Advisory – https://www.ncsc.nl/actueel/advisory?id=NCSC-2022-0646

‍

Sign up to receive T-Updates

Receive the latest vulnerabilities in your email every Wednesday

More than 1,000 organisations have already joined us.

Expertise

Cyber emergency?

088 27 47 800