Juniper Networks has released out-of-band updates to address high-severity flaws in SRX Series and EX Series that could be exploited by a threat actor to take control of susceptible systems.
The vulnerabilities, tracked as CVE-2024-21619 and CVE-2024-21620, are rooted in the J-Web component and impact all versions of Junos OS. Two other shortcomings, CVE-2023-36846 and CVE-2023-36851, were previously disclosed by the company in August 2023.
Cybersecurity firm watchTowr Labs has been credited with discovering and reporting the issues. The two vulnerabilities have been addressed in the following versions –
As temporary mitigations until the fixes are deployed, the company is recommending that users disable J-Web or restrict access to only trusted hosts.
It’s worth noting that both CVE-2023-36846 and CVE-2023-36851 were added to the Known Exploited Vulnerabilities (KEV) catalog in November 2023 by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), based on evidence of active exploitation.
Earlier this month, Juniper Networks also shipped fixes to contain a critical vulnerability in the same products (CVE-2024-21591, CVSS score: 9.8) that could enable an attacker to cause a denial-of-service (DoS) or remote code execution and obtain root privileges on the device.