Bash or the Bourne again shell has vulnerabilities in the way it handles environment variables when it is invoked. Under some scenarios, network based remote attackers can inject shell script that can be executed on a system. This is also known as "ShellShock".
Products vulnerable to remote exploitation risks:
- Junos Space is vulnerable in all versions.
- JSA Series (STRM) devices are vulnerable in all versions.
- NSM Appliances (NSM3000 and NSMExpress) are vulnerable in all versions.
Products with bash, but NOT affected by remote exploitation risks:
Our current assessment shows there is no risk of remote code execution on these products even though the products include bash. Scenarios required for known remote exploitation vectors do not exist on these products. As a precaution, bash in these products will be upgraded.- SSL VPN
- UAC
- CTPView
- QFabric
- DDOS Secure
- JWAS
- vGW
- SRC
- Junos Pulse Endpoint Profiler
Products NOT affected:
- Junos OS is not vulnerable.
- ScreenOS is not vulnerable.
- JunosE is not vulnerable.
- ADC is not vulnerable.
- SRX-IDP is not vulnerable.
- ISG-IDP is not vulnerable.
- WX is not vulnerable.
- MFC is not vulnerable.