JVN#21753370: Junos OS vulnerable to cross-site scripting

Junos OS contains a cross-site scripting vulnerability (CWE-79).

Impact

An arbitrary script may be executed on the user’s J-Web screen.

Solution

Update the Software
Update the software to the latest version according to the information provided by the developer.

Apply a Workaround
Applying workarounds listed below may mitigate the impacts of the vulnerability.

• Access the J-Web service from trusted hosts which may not be compromised by cross-site scripting attacks (e.g. deploying jump hosts with no internet access)
• Disable J-Web

Products Affected

• Junos OS 12.3 versions prior to 12.3R12-S15 on EX and QFX Series
• Junos OS 12.3X48 versions prior to 12.3X48-D86, 12.3X48-D90 on SRX Series
• Junos OS 14.1X53 versions prior to 14.1X53-D51 on EX and QFX Series
• Junos OS 15.1F6 versions prior to 15.1F6-S13
• Junos OS 15.1 versions prior to 15.1R7-S5
• Junos OS 15.1X49 versions prior to 15.1X49-D181, 15.1X49-D190 on SRX Series
• Junos OS 15.1X53 versions prior to 15.1X53-D238 on QFX5200/QFX5110 Series
• Junos OS 15.1X53 versions prior to 15.1X53-D592 on EX2300/EX3400 Series
• Junos OS 16.1 versions prior to 16.1R4-S13, 16.1R7-S5
• Junos OS 16.2 versions prior to 16.2R2-S10
• Junos OS 17.1 versions prior to 17.1R2-S11, 17.1R3-S1
• Junos OS 17.2 versions prior to 17.2R1-S9, 17.2R3-S2
• Junos OS 17.3 versions prior to 17.3R2-S5, 17.3R3-S5
• Junos OS 17.4 versions prior to 17.4R2-S6, 17.4R3
• Junos OS 18.1 versions prior to 18.1R3-S7
• Junos OS 18.2 versions prior to 18.2R2-S5, 18.2R3
• Junos OS 18.3 versions prior to 18.3R1-S6, 18.3R2-S1, 18.3R3
• Junos OS 18.4 versions prior to 18.4R1-S5, 18.4R2
• Junos OS 19.1 versions prior to 19.1R1-S2, 19.1R2