Patch Assessment Support - Software Deprecation

Patch Assessment Support using Shavlik offered via Juniper will be deprecated

ending June 2015and PatchAssessment data file will not be updated. 

 

Junos Pulse Connect Secure and Junos Pulse Policy Secure ( UAC 5.1/SA 8.1) formerly

known as Junos Pulse Secure Access Service and Junos Pulse Access Control Service

respectively will not contain Patch Assessment via Shavlik. However, there will be a means of device postureassessment for patches via OPSWAT.

 

The OPSWAT solution will not be identical in experience or functionality owing to differences in technology but will provide for essential assessment capabilities addressing critical needsfor our customers.

 

In addition Junos Pulse Secure Access Service 8.0 and below and Junos Pulse Access ControlService 5.0 and below will lose the ability to carry out Patch Assessment for patches available after June 2015 dueto Patch Assessment data file will not being updated.

 

Patch Assessment functionality via Shavlik will be deprecated starting SA 8.1/ UAC 5.1 /Junos Pulse 5.1. At thattime, Patch Assessment will be provided through other means utilizing capabilities from OPSWAT. 

 

If you are currently utilizing Shavlik for Patch Assessment, you will continue to have sup

port thru June 2015, afterwhich, data file updates will no longer be provided. Customers looking to have continued Patch Assessmentcapability throughPulse SecureSA/UAC

productsbeyondJune2015 will have to migrate to OPSWAT based PatchAssessment.

 

Inorder to ensure a smooth transition,OPSWAT based Patch Assessment is available in 8.0R10and will co-existwith Shavlik Patch Assessment. 

 

In the SA 8.1 / UAC 5.1 release train, we only have OPSWAT based assessment.

Customers can leverage the coexist functionality of both methods in the same release to ensure smooth PatchAssessment policy migration and functionality from Shavlik to OPSWAT.

 

Junos Pulse Secure Access Service 8.0 and below and Junos Pulse Access Control Service 5.0 and below will also losethe ability to carry out Patch Assessment for patches available after June 2015 due to Patch Assessment data file will not being updated.

Maintenance release after June 2015 for Junos Pulse Secure Access Service 8.0 and Junos Pulse Access ControlService 5.0 will deprecate the feature of Patch Assessment Support using Shavlik.

Juniper :SDN Strategies

Juniper’s SDN strategy isn’t built on OpenFlow, but rather uses a uses a mix of its network management software (Junos Space) and the Contrail network overlay controller that it acquired in late 2012 and open sourced last fall.

Its overlay approach is similar to VMware’s NSX and other virtual networks that are built using tunneling protocols over TCP/IP.

Like Arista, Juniper touts the programmability of its hardware, specifically the MX edge routers and EX and QFX series switches, with open APIs providing the means to automate network management, configuration, and control.

By open sourcing Contrail, it appears Juniper would rather focus on providing application-layer network services and orchestration for its legacy switching fabrics than centralized physical layer flow control.

SRX Series: ISC BIND vulnerability denial of service in delegation handling (CVE-2014-8500)

ISC BIND software included with Junos for SRX series devices is affected by CVE-2014-8500. This may allow a network based attacker to cause a denial of service condition on SRX devices.
This issue only affects SRX devices where "set system services dns dns-proxy" has been configured. This is not enabled by default on SRX devices.
This issue does not affect other Junos OS based devices as they do not have BIND DNS server feature.
Juniper SIRT is not aware of any malicious exploitation of this vulnerability.
This issue has been assigned CVE-2014-8500.

Solution:

The following software releases have been updated to resolve this specific issue: Junos OS 12.1X44-D50 (pending release) 12.1X46-D35 (pending release) 12.1X47-D25 (pending release) 12.3X48-D10 and all subsequent releases.

This issue is being tracked as PR 1048628 and is visible on the Customer Support website.

KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies.

Workaround:

There are no known workarounds.

Implementation:

How to obtain fixed software: Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request.

Junos PR search tool

The PR (Problem Report) Search tool allows you to do a variety of searches across Juniper Network's external bug content on the web. Currently, this application is fully supported for products which run the Junos OS. Junos OS runs on all Juniper Networks M Series, MX Series, and T Series routing platforms, SRX Series Services Gateways, J Series Services Routers, and the EX Series Ethernet Switches.