CVE-2024-39565
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
An Improper Neutralization of Data within XPath Expressions ('XPath Injection') vulnerability in J-Web shipped with Juniper Networks Junos OS allows an unauthenticated, network-based attacker to execute remote commands on the target device.
While an administrator is logged into a J-Web session or has previously logged in and subsequently logged out of their J-Web session, the attacker can arbitrarily execute commands on the target device with the other user's credentials. In the worst case, the attacker will have full control over the device. This issue affects Junos OS:
- All versions before 21.2R3-S8,
- from 21.4 before 21.4R3-S7,
- from 22.2 before 22.2R3-S4,
- from 22.3 before 22.3R3-S3,
- from 22.4 before 22.4R3-S2,
- from 23.2 before 23.2R2,
- from 23.4 before 23.4R1-S1, 23.4R2.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Juniper Networks, Inc. | Junos OS | 0 < 21.2R3-S8 | affected |
| Juniper Networks, Inc. | Junos OS | 21.4 < 21.4R3-S7 | affected |
| Juniper Networks, Inc. | Junos OS | 22.2 < 22.2R3-S4 | affected |
| Juniper Networks, Inc. | Junos OS | 22.3 < 22.3R3-S3 | affected |
| Juniper Networks, Inc. | Junos OS | 22.4 < 22.4R3-S2 | affected |
| Juniper Networks, Inc. | Junos OS | 23.2 < 23.2R2 | affected |
| Juniper Networks, Inc. | Junos OS | 23.4 < 23.4R1-S1, 23.4R2 | affected |
Weaknesses
- CWE-643: CWE-643 Improper Neutralization of Data within XPath Expressions ('XPath Injection')
Workarounds
There are no known workarounds for this issue other than disabling J-Web when not in use.
Juniper Networks has written an effective countermeasure for this attack at IDP Signature SigPack #3675 onward, released on 07 February 2024. The signature “HTTP:PHP:LAUNCHPAD-CMD-INJ” will identify and block the attack. For best effect, customers may deploy this signature on devices where J-Web is not used. Methods which may reduce, but not eliminate, the risk for exploitation of these problems, and which does not mitigate or resolve the underlying problem include:
• Deploying the appropriate IDP Signature on devices which do not have J-Web enabled which protect the device downstream which requires J-Web to be enabled.
• Disabling J-Web and using only alternate options such as Netconf over SSH for device management
• Restricting the use of J-Web to low-privileged accounts only
In addition to the recommendations listed above, it is good security practice to limit the exploitable attack surface of critical infrastructure networking equipment. Use access lists or firewall filters to limit access to the device only from trusted, administrative networks or hosts.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
CVE Program Container
Additional References
- https://supportportal.juniper.net/JSA83023
- https://www.first.org/cvss/calculator/v4-0#CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/AU:Y/R:I/V:C/RE:L/U:Amber
- https://support.juniper.net/support/downloads/?p=283
References
- https://supportportal.juniper.net/JSA83023
- https://www.first.org/cvss/calculator/v4-0#CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/AU:Y/R:I/V:C/RE:L/U:Amber
- https://support.juniper.net/support/downloads/?p=283
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.