Juniper Releases Patches for Critical Flaws in Junos OS and Contrail Networking

Juniper Networks has pushed security updates to address several vulnerabilities^[1]
affecting multiple products, some of which could be exploited to
seize control of affected systems.

The most critical of the flaws affect Junos Space and Contrail
Networking, with the tech company urging customers to release
versions 22.1R1 and 21.4.0, respectively.

Chief among them is a collection of 31 bugs in the Junos Space
network management software, including CVE-2021-23017 (CVSS score:
9.4) that could result in a crash of vulnerable devices or even
achieve arbitrary code execution.

“A security issue in nginx resolver was identified, which might
allow an attacker who is able to forge UDP packets from the DNS
server to cause 1-byte memory overwrite, resulting in worker
process crash or potential other impact,” the company said^[2].

The same security vulnerability has also been remediated^[3]
in Northstar Controller in versions 5.1.0 Service Pack 6 and
6.2.2.

Additionally, the networking equipment maker cautioned of
multiple known issues^[4]
exist in CentOS 6.8^[5]
that’s shipped with Junos Space Policy Enforcer before version 22.1R1^[6]. As mitigations, the
version of CentOS packed with the Policy Enforcer component has
been upgraded to 7.9.

Also listed are 166 security vulnerabilities impacting its
Contrail Networking product that impact all versions prior to
21.4.0 and have been collectively given the maximum CVSS score of
10.0.

“Multiple vulnerabilities in third party software used in
Juniper Networks Contrail Networking have been resolved in release
21.4.0 by upgrading the Open Container Initiative (OCI)-compliant
Red Hat Universal Base Image (UBI) container image from Red Hat
Enterprise Linux 7 to Red Hat Enterprise Linux 8,” it noted^[7]
in an advisory.