How to Fix CVE-2023-36846: Juniper Networks Junos OS (Bundle Sibling)
By Sai Kiran Pandrala
| Severity | CVSS 5.3 (Medium) |
|---|---|
| Actively exploited? | Yes, listed in CISA KEV (added 2023-11-13, federal due date 2023-11-17) |
| Affected | Same as the bundle |
| Fixed in | Same patched build as CVE-2023-36844 |
| Type (CWE) | CWE-306 — Missing Authentication for Critical Function |
CVE-2023-36846 ships in the same vendor advisory as CVE-2023-36844. The patched build at the primary write-up closes this CVE too.
What's different about CVE-2023-36846?
A Missing Authentication for Critical Function vulnerability in Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity. With a specific request to user.php that doesn't require authentication an attacker is able to upload arbitrary files via J-Web, leading to a loss of integrity for a certain part of the file system, which may allow chaining to other vulnerabilities. This issue affects Juniper Netwo
The flaw class and remediation are identical to the primary CVE in the bundle. A successful exploit gives the remote attacker the impact described in the vendor advisory.
How to fix CVE-2023-36846
Apply the patched build documented in the primary write-up: How to Fix CVE-2023-36844. The vendor ships a single fix that covers every CVE in this advisory.
Frequently asked questions
Is CVE-2023-36846 actively exploited?
Yes. CVE-2023-36846 is on the CISA Known Exploited Vulnerabilities catalog, so federal civilian agencies are required to patch on the published deadline. Most enterprises treat the same date as the practical floor.
What is the CVSS severity of CVE-2023-36846?
Medium. See the advisory for the full CVSS vector.
Where can I read the official advisory?
See https://supportportal.juniper.net/JSA72300
Does the patch require a reboot?
It depends on the deployment. Service-only updates usually need a service restart; OS-level fixes require a full reboot. Check the vendor release notes for the exact post-upgrade steps.
References
- Official vendor advisory: https://supportportal.juniper.net/JSA72300
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-36846
- CISA KEV catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- Primary write-up: How to Fix CVE-2023-36844
*This guide is part of the Juniper Networks Junos OS bundle. Full remediation procedure is at CVE-2023-36844.*