Juniper Networks has shipped fixes for critical bugs inherited from third-party software, as part of its first large shipment of patches in 2023.
In an advisory, Juniper reveals that its Secure Analytics product inherits an Apache Commons Text bug, CVE-2022-42889.
The bug means that applications using a vulnerable version of Apache Commons Text could be vulnerable to remote code execution (RCE).
“This issue affects Juniper Networks Security Threat Response Manager (STRM) versions prior to 7.5.0UP4 on JSA Series," Juniper’s advisory stated.
STRM 7.5.0UP4 and all subsequent releases use a patched version of Apache Commons Text.
In a separate advisory, Juniper said it has also updated the libexpat library it uses in its Junos OS operating system against 15 bugs, seven of which are rated critical (CVSS score of 9.8 in each case). The issue affects “all versions of Junos OS”, the advisory said.
The critical bugs include CVE-2022-22822, CVE-2022-22823, CVE-2022-22824, CVE-2022-25315, and CVE-2022-23852, all of which are integer overflows.
CVE-2022-25235 is an encoding validation error, and CVE-2022-25236 “allows attackers to insert namespace-separator characters into namespace URIs”.
Fixes have been shipped for all affected Junos OS build series.
