Multiple vulnerabilities affect the Juniper Junos OS

Juniper Networks devices are affected by multiple high-severity issues, including code execution vulnerabilities.

Multiple high-severity security vulnerabilities have been discovered in Juniper Networks devices.

“Multiple vulnerabilities have been found in the J-Web component of Juniper Networks Junos OS. One or more of these issues could lead to unauthorized local file access, cross-site scripting attacks, path injection and traversal, or local file inclusion.” reads the advisory published by the vendor.

The most severe one is a remote pre-authenticated PHP archive file deserialization vulnerability tracked as CVE-2022-22241 which received a CVSS score of 8.1. The vulnerability resided in the J-Web component of Junos OS. An attacker can exploit the vulnerability by sending a crafted POST request, triggering a deserialization which could lead to unauthorized local file access or arbitrary code execution.

“Phar files (PHP Archive) files contain metadata in serialized format, which when parsed by a PHP file operation function leads to the metadata getting deserialized. An attacker can abuse this behavior to exploit an object instantiation vulnerability inside the Juniper codebase.” reads the analysis published by Octagon Networks. “This vulnerability can be exploited by an unauthenticated remote attacker to get remote phar files deserialized, leading to arbitrary file write, which leads to a remote code execution (RCE) vulnerability.”

Other vulnerabilities discovered by the experts are:

CVE-2022-22242: pre-authenticated reflected XSS on the error page.
CVE-2022-22243: XPATH Injection in jsdm/ajax/wizards/setup/setup.php
CVE-2022-22244: XPATH Injection in send_raw() method.
CVE-2022-22245: Path traversal during file upload leads to RCE.
CVE-2022-22246: PHP file include /jrest.php.

The vendor addressed the flaws with the release of Junos OS versions 19.1R3-S9, 19.2R3-S6, 19.3R3-S7, 19.4R3-S9, 20.1R3-S5, 20.2R3-S5, 20.3R3-S5, 20.4R3-S4, 21.1R3-S2, 21.3R3, 21.4R3, 22.1R2, 22.2R1, and later.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, code execution)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.