CVE-2019-0015
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Summary
A vulnerability in the SRX Series Service Gateway allows deleted dynamic VPN users to establish dynamic VPN connections until the device is rebooted. A deleted dynamic VPN connection should be immediately disallowed from establishing new VPN connections. Due to an error in token caching, deleted users are allowed to connect once a previously successful dynamic VPN connection has been established. A reboot is required to clear the cached authentication token. Affected releases are Junos OS on SRX Series: 12.3X48 versions prior to 12.3X48-D75; 15.1X49 versions prior to 15.1X49-D150; 17.3 versions prior to 17.3R3; 17.4 versions prior to 17.4R2; 18.1 versions prior to 18.1R3; 18.2 versions prior to 18.2R2.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Juniper Networks | Junos OS | 12.3X48 < 12.3X48-D75 | affected |
| Juniper Networks | Junos OS | 15.1X49 < 15.1X49-D150 | affected |
| Juniper Networks | Junos OS | 17.3 < 17.3R3 | affected |
| Juniper Networks | Junos OS | 17.4 < 17.4R2 | affected |
| Juniper Networks | Junos OS | 18.1 < 18.1R3 | affected |
| Juniper Networks | Junos OS | 18.2 < 18.2R2 | affected |
Weaknesses
- Unauthorized access
Workarounds
There are no viable workarounds for this issue.
ADP Enrichment
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.