Skip to content

Common Vulnerabilities and Exposures: Out-of-Cycle Security Bulletin for Juno OS

On August 17, 2023, Juniper announced an “Out-of-Cycle Security Bulletin” for the Junos OS on their SRX Series firewalls and EX series switches. An attacker could exploit these vulnerabilities, which would allow the attacker to run remote code execution on the devices, which may grant an attacker access to internal networks and or non-public data.


The vulnerability allows an attacker to potentially remotely execute code on the Juniper devices. Splunk defines “Remote Code Execution (RCE) as a method that allows attackers to gain unauthorized access to devices and launch attacks from a remote location. With RCE, hackers can infiltrate their target's systems without needing physical access to the networks or devices.”

Severity and Impact

According to The Hacker News, the four vulnerabilities have a cumulative CVSS rating of 9.8, making them Critical. According to Juniper’s own bulletin, linked above, “These issues affect all versions of Junos OS on SRX and EX Series.”

Step 1: Determine if you are at risk

 All versions of Junos OS on SRX firewalls and EX Series switches are impacted. If the organization uses either of these devices with any version of Junos OS, the organization is vulnerable to these CVEs.

To assess whether or not your vendors or third parties are vulnerable, customers can access the Juniper Junos Vulnerability in the Whistic Platform in our Questionnaire Standards Library by clicking here.

Step 2: Recommended steps to help prevent successful exploitation 

According to Juniper, a temporary work-around is to disable J-Web, or limit access to only trusted hosts. A complete remediation requires an update to the OS of EX Series switch and or the SRX Series firewall.

According to Juniper OS, the following updates remediate the issue:

  • For EX Series, the following releases have resolved this via PR 1735387: 20.4R3-S8, 21.2R3-S6, 21.3R3-S5*, 21.4R3-S4, 22.1R3-S3, 22.2R3-S1, 22.3R2-S2, 22.3R3, 22.4R2-S1, 22.4R3*, 23.2R1, and all subsequent releases.
  • For SRX Series, the following releases have resolved this via PR 1735389: 20.4R3-S8, 21.2R3-S6, 21.3R3-S5*, 21.4R3-S5*, 22.1R3-S3, 22.2R3-S2*, 22.3R2-S2, 22.3R3, 22.4R2-S1, 22.4R3*, 23.2R1, and all subsequent releases. *Pending Publication

Does This Affect Whistic?

As a result of our investigation, we have determined that these vulnerabilities do not directly impact Whistic. 

Information Security Third-Party Risk Management