CVE-2017-10616
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
The ifmap service that comes bundled with Juniper Networks Contrail releases uses hard coded credentials. Affected releases are Contrail releases 2.2 prior to 2.21.4; 3.0 prior to 3.0.3.4; 3.1 prior to 3.1.4.0; 3.2 prior to 3.2.5.0. CVE-2017-10616 and CVE-2017-10617 can be chained together and have a combined CVSSv3 score of 5.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N).
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Juniper Networks | Contrail | 2.2 < 2.21.4 | affected |
| Juniper Networks | Contrail | 3.0 < 3.0.3.4 | affected |
| Juniper Networks | Contrail | 3.1 < 3.1.4.0 | affected |
| Juniper Networks | Contrail | 3.2 < 3.2.5.0 | affected |
Weaknesses
- hardcoded credential
Workarounds
The hard coded credentials can be modified manually. It is good security practice to limit the exploitable attack surface of critical infrastructure networking equipment. Use access lists or firewall filters to limit access only from trusted, administrative networks or hosts.
ADP Enrichment
CVE Program Container
Additional References
- https://kb.juniper.net/JSA10819
- https://github.com/orangecertcc/security-research/security/advisories/GHSA-qx9c-49m4-f3vj
References
- https://kb.juniper.net/JSA10819
- https://github.com/orangecertcc/security-research/security/advisories/GHSA-qx9c-49m4-f3vj
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.