In this week's Security Advisory:
Juniper Networks released an out-of-band patch to fix four (4) vulnerabilities affecting the J-Web component of Junos OS on SRX Series Firewalls and EX Series Switches. The vulnerabilities are being tracked as CVE-2024-21619, CVE-2023-36846, CVE-2024-21620, and CVE-2023-36851 and each received a CVSS score of 5.3, 5.3, 8.8, and 5.3 out of a possible 10, respectively. CVE-2023-36846 and CVE-2023-36851 were disclosed in August 2023 and could allow an unauthenticated, network-based attacker to modify files on the affected system. CVE-2024-21619 allows an unauthenticated, network-based attacker to access sensitive data. CVE-2024-21620 is a cross-site scripting vulnerability that could be exploited if a victim visits a maliciously crafted website. Successful exploitation could lead to an attacker obtaining access to sensitive data or executing arbitrary commands on the affected system.
These vulnerabilities affect all versions of Junos OS on SRX Series Firewalls and EX Series Switches.
More Reading / Information
Cisco released patches for several Unified Communications and Contact Center Solutions products to fix a critical remote code execution vulnerability. The vulnerability is being tracked as CVE-2024-20253 and is due to improper processing of user supplied data. An unauthenticated attacker could exploit this vulnerability by sending a specially crafted message to a listening port on an affected device and gain remote code execution. CVE-2024-20253 received a CVSS score of 9.9 out of a possible 10.
The following versions are affected:
More Reading / Information
Four (4) vulnerabilities were discovered in the GNU C Library (glibc) in multiple Linux distributions. GNU C Library (glibc) is a fundamental part of most Linux distributions and provides low-level functionality to the operating system and other applications. Of the vulnerabilities found, the most severe, CVE-2023-6246, is a heap-based buffer overflow vulnerability that could allow a user to elevate their privileges to root. CVE-2023-6246 received a CVSS score of 8.4 out of a possible 10.
As of now, the following distributions are vulnerable to CVE-2023-6246:
More Reading / Information
Google Chrome had a total of four (4) vulnerabilities, with three (3) given a severity rating of "High." The most severe can lead to arbitrary code execution and currently affects Windows, Mac, and Linux. There are no reports of these vulnerabilities being exploited in the wild.
More Reading / Information
https://chromereleases.googleblog.com/2024/01/stable-channel-update-for-desktop_30.html
Please review your environment to ensure the above-mentioned issues are patched in a timely manner. It is security best practice to regularly update and/or patch software to the latest versions. The vulnerabilities above highlight the security benefits of limiting deployed software to "vendor-supported versions" only. This dramatically increases the likelihood that new vulnerabilities have a patch issued for them. Likewise, Cybersafe strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.