Juniper Networks this week released patches for more than 60 vulnerabilities in its Juniper Advanced Threat Prevention (ATP) appliance, Junos OS operating system, and Junos Space network management platform. Many of the security holes impact third-party components.
In Juniper ATP appliances, the company addressed 13 flaws, including persistent cross-site scripting (XSS), arbitrary command execution, hardcoded credentials, information disclosure, and unprotected credentials issues.
Three of the vulnerabilities fixed in ATP devices have been rated “critical,” including ones related to the existence of hardcoded credentials and the storage of Splunk credentials in a file that can be accessed by authenticated local users.
Another three flaws have been assigned a CVSS score between 7.0 and 8.9, which puts them in the “high” severity category. The list includes issues related to the insecure storage of keys used for critical operations in the WebUI interface, the logging of secret passphrase CLI inputs in clear text, and a remote command execution weakness in the XML-RPC server.