January 30, 2024 at 10:36AM
Juniper Networks disclosed and apologized for previously concealing vulnerabilities reported by watchTowr researcher Aliz Hammond. The company issued an out-of-cycle security advisory, separately disclosing four vulnerabilities with missing individual CVEs. The vulnerabilities affect J-Web in Junos OS SRX Series and EX Series. US CISA warned of the XSS vulnerability and urged users to apply necessary updates. Juniper changed its assessment of the vulnerabilities, apologizing to customers for the error in communication.
After reviewing the meeting notes, the key takeaways are:
– Juniper Networks disclosed separate vulnerabilities and apologized to customers for a communication error.
– Multiple security vendors, including Juniper, were accused of bending rules for assigning CVEs for vulnerabilities.
– Four vulnerabilities reported to Juniper by watchTowr researcher Aliz Hammond, which were initially missing individual CVEs, have now each been disclosed separately in an out-of-cycle security advisory.
– Despite submitting four vulnerability reports, watchTowr was credited with the discovery of only two, with the other two apparently being rediscovered.
– The newly disclosed issues affect J-Web in Junos OS SRX Series and EX Series and are tracked with distinct CVEs for each vulnerability.
– The US Cybersecurity and Infrastructure Security Agency (CISA) issued an alert warning of the XSS vulnerability, advising users and administrators to review the Juniper bulletin and apply necessary updates.
– Juniper apologized to customers and explained that it changed its assessment of the vulnerabilities reported by the researchers and revised its process for assigning CVEs.
– There are questions about Juniper’s approach to fixing vulnerabilities, especially regarding the timing of patch releases and the registration of CVEs.
These takeaways help provide a clear understanding of the key points discussed in the meeting.