30 vulnerabilities in different Juniper products could allow the total takeover of the affected network. Update immediately

Cybersecurity specialists from Juniper Networks announced the release of multiple security patches to address more than 30 flaws in their products, including critical bugs in Contrail Networking and Junos OS. According to the report, at least seven of these flaws received scores above 9/10 according to the Common Vulnerability Scoring System (CVSS).

First, the alert mentions ten flaws in Contrail Networking, in its versions prior to 2011. Five of these flaws are considered critical and all were tracked in 2021. The two most severe errors are buffer overflow flaws in Pillow tracked as CVE-2021-25289 and CVE-2021-34552, plus a heap overflow in Apache HTTP Server tracked as CVE-2021-26691.

The remaining flaws reside in the nginx resolution (CVE-2021-23017) and the xmlhttprequest-ssl package (CVE-2021-31597).

On the other hand, the second security alert refers to critical flaws in Contrail Networking prior to v21.3. These reports include a remote code execution bug in Git for Visual Studio tracked as CVE-2019-1349; and a denial of service (DoS) error in the pcre_compile function in pcre_compile.c in PCRE tracked as CVE-2015-8391.

This week, Juniper Networks also announced patches for 14 vulnerabilities in Junos OS and Junos OS Evolved, including 10 severe issues that could lead to DoS and remote code execution (RCE) scenarios. In its report, the firm notes that there are no reports of active exploitation.

The report was also shared by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), encouraging users and administrators to review the company’s reports and apply the necessary corrections as soon as possible: “Remote threat actors could exploit some of these vulnerabilities to take control of an affected system”, points out the Agency.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.