Reg story prompts fresh security bulletin, review of Juniper Networks' CVE process

2024-01-30 15:30

The four vulnerabilities reported to Juniper Networks by watchTowr researcher Aliz Hammond, which were later found to be missing individual CVEs, have now each been disclosed separately, per an out-of-cycle security advisory.

Despite submitting four vulnerability reports in total, Juniper credited watchTowr with the discovery of just two.

"Multiple vulnerabilities in the J-Web component of Juniper Networks Junos OS on SRX Series and EX Series have been resolved through the application of specific fixes to address each vulnerability," the advisory reads.

Hammond originally approached the vendor in 2023 to disclose the four vulnerabilities, and Juniper responded by requesting a delay to watchTowr's typical 90-day reporting window.

Missing authentication vulnerabilities are among the easiest to exploit so it's intriguing as to why Juniper didn't think to register each of the three that are now disclosed with CVEs in the first place.

Juniper offered an explanation in its updated customer-facing bulletin, according to watchTowr, saying that due to non-technical reasons it typically applies for CVEs towards the end of the disclosure process.

News URL

https://go.theregister.com/feed/www.theregister.com/2024/01/30/juniper_networks_vulnerabilities/

#CVE #juniper #junipernetworks #security

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Juniper		222	108	435	226	44	813