This issue affects Junos OS 12.3, 12.3X48, 14.1X53, 15.1, 15.1X49, 17.2, 17.3, 17.4, 18.1, 18.2, 18.3, 18.4, 19.1, 19.2, 19.3, 19.4, 20.1.
A vulnerability in the HTTP/HTTPS service used by J-Web, Web Authentication, Dynamic-VPN (DVPN), Firewall Authentication Pass-Through with Web-Redirect, and Zero Touch Provisioning (ZTP) allows an unauthenticated attacker to perform local file inclusion (LFI) or path traversal.
Using this vulnerability, an attacker may be able to inject commands into the httpd.log, read files with 'world' readable file permission or obtain J-Web session tokens.
In the case of command injection, as the HTTP service runs as user 'nobody', the impact of this command injection is limited. (CVSS score 5.3, vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
In the case of reading files with 'world' readable permission, in Junos OS 19.3R1 and above, the unauthenticated attacker would be able to read the configuration file. (CVSS score 5.9, vector CVSS:3.1/ AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
If J-Web is enabled, the attacker could gain the same level of access of anyone actively logged into J-Web. If an administrator is logged in, the attacker could gain administrator access to J-Web. (CVSS score 8.8, vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
This issue only affects Juniper Networks Junos OS devices with HTTP/HTTPS services enabled.
Junos OS devices with HTTP/HTTPS services disabled are not affected.
There are no viable workarounds for this issue.
It is highly recommended to disable HTTP/HTTPS service and DVPN:
user@device# deactivate system services web-management
user@device# deactivate security dynamic-vpn (if DVPN is configured)
or allowing HTTP service only on from trusted hosts or networks (refer to https://kb.juniper.net/KB21265 for details on how to limit HTTP service).
The following software releases have been updated to resolve this specific issue: 12.3R12-S16, 12.3X48-D101, 12.3X48-D105, 14.1X53-D54, 15.1X49-D211, 15.1X49-D220, 15.1R7-S7, 16.1R7-S8, 17.2R3-S4, 17.4R2-S11, 17.3R3-S8, 17.4R3-S2, 18.1R3-S10, 18.2R2-S7, 18.2R3-S4, 18.3R2-S4, 18.3R3-S2, 18.4R1-S7, 18.4R3-S2, 19.1R1-S5, 19.1R3-S1, 19.2R2, 19.3R2-S3, 19.3R3, 19.4R1-S2, 19.4R2, 20.1R1-S1, 20.1R2 and all subsequent releases.
Note: At the time of this publication, the following fixed releases are available for customer download: 12.3X48-D101, 15.1X49-D211, 18.2R3-S4, 18.4R3-S2, and 20.1R1-S1, the remaining fixed releases will be available in future time.
The 20.1R1-S1 release is currently available for SRX380 only.