Juniper Networks fixed holes in its Advanced Threat Prevention (ATP) appliance, Junos OS operating system, and Junos Space network management platform.
As a result, the vulnerabilities will also have an impact on third-party components.
In Juniper ATP appliances, the company fixed 13 issues including, arbitrary command execution, hardcoded credentials, information disclosure, persistent cross-site scripting (XSS), and unprotected credentials issues.
Three of the vulnerabilities fixed in ATP devices have been rated “critical,” including ones related to the existence of hardcoded credentials and the storage of Splunk credentials in a file that can be accessed by authenticated local users.
Another three flaws had a CVSS score between 7.0 and 8.9, which puts them in the “high” severity category. Those issues are an insecure storage of keys used for critical operations in the WebUI interface, the logging of secret passphrase CLI inputs in clear text, and a remote command execution weakness in the XML-RPC server.
In the Junos OS operating system, Juniper fixed eight vulnerabilities.
Also in Junos OS, the company fixed two OpenSSL vulnerabilities patched by the OpenSSL Project last year.
In addition, Juniper patched a series of vulnerabilities in Junos Space. Nine holes, one rated “high” and the rest “medium” ended up fixed in version 18.3R1.
The rest ended up taken care of in version 18.4R1, including a hole listed as critical that could lead to privilege escalation and arbitrary code execution.