Junos
Junos

Basic understanding of JunOS security patching

‎04-18-2017 10:35 AM

Hi there,

 

I'm new to the world of JunOS and have a question about security patching of our EX3300 switches.

Currently we are running 15.1R5.5. How can I see which security patch level I have? Here for example is mentioned that this specific security issue is solved in version 15.1R5-S2. Where can I get and install this?

 

Thanks for explaining and many greets

Stephan

13 REPLIES 13
Junos

Re: Basic understanding of JunOS security patching

‎04-19-2017 05:17 PM

You download Junos versions from support and drill into them by the specific platform.

 

http://www.juniper.net/support/downloads/?p=ex3300

 

From here you choose the major release on the right and the all the available options for that platform are listed.

 

Note that not every detail version appears on every platform.

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Junos

Re: Basic understanding of JunOS security patching

‎01-16-2018 03:13 AM

Hi spuluka,


thanks a lot for your answer - and sorry for my late reply!


So I just downloaded jinstall-ex-3300-15.1R6.7-domestic-signed.tar. But I'm wondering about the last modified date of this file: 2017-04-23. Is this really the latest version with the newest security patches?


Thanks a lot and many greets

Stephan

Junos

Re: Basic understanding of JunOS security patching

‎01-16-2018 04:53 AM

HI,

 

Follow this link:

https://www.juniper.net/support/downloads/?p=ex3300#sw

 

On the upper right side, there is sidedown option called TYPE/OS, tab on that you will see "JUNOS SR".

The SR is service release patch. https://screenshots.firefox.com/uJrw8na4M1a9ViAF/www.juniper.net

 

Regards,

Karan

 

 

 

/Karan Dhanak
# Please mark my solution as accepted if it helped, Kudos are appreciated as well.

Junos

Re: Basic understanding of JunOS security patching

‎01-16-2018 04:58 AM

 

To further add some info.. i noticed you mentioned of JUNOS 15.1R5-S2,  The latest inline service release for 15.1R5 branch is S3 & recommended to latest patch in its branch.

 

/Karan Dhanak
# Please mark my solution as accepted if it helped, Kudos are appreciated as well.

Junos

Re: Basic understanding of JunOS security patching

‎01-16-2018 05:46 AM

Hi Karan,


thanks a lot!

Sooo... at the moment we are running 15.1.R5.5.

Is it possible/recommended to upgrade to 15.1R6-S3, or should we upgrade to 15.1R5-S3?

And (last question, hopefully) is it correct that we aren't affected by CVE-2018-0001?


Thanks a lot and greets

Stephan

 

Junos

Re: Basic understanding of JunOS security patching

‎01-16-2018 06:36 AM

Hi Stephan,

 

Can certainly recommend JUNOS 15.1R5-S3 & JUNOS 15.1R6-S3 as well which is the latest in-line.

 

For CVE-2018-0001, JUNOS 15.1R5.5 is not listed as affected but we did add code fix in certain releases builds to resolve specific issue. (CVE-2018-0001 is specfic for J-Web use case)

 

 

 

/Karan Dhanak
# Please mark my solution as accepted if it helped, Kudos are appreciated as well.

Junos

Re: Basic understanding of JunOS security patching

‎11-27-2018 02:12 AM

Hi there,

 

finally last saturday we updated our EX3300 virtual chassis to Junos OS version 15.1R7.9 successfully! :-)
...in Germany we say something like "better late than never" :-D

 

Thanks a lot for your support and many greets

Stephan

Junos

Re: Basic understanding of JunOS security patching

a week ago

back again! :-D

 

We are still on 15.1R7.9.

And I'm still uncertain about the relationship between "Junos" and "Junos SR". For example in this Security Bulletin I can read the following: "This issue affects [...] 15.1 versions prior to 15.1F6-S13, 15.1R7-S5". So... am I affected? Do I have to update to 15.1R7-S5 to solve this issue? Is there a "non-SR" version coming which also solves this issue?

 

Thanks for your support and many greets

Stephan

Junos

Re: Basic understanding of JunOS security patching

a week ago

Hello,

You are 1 more click away (+ login with Your Juniper account username & password) to get this information.

From within the Bulletin itself, click on the link on the following line:

 

This issue is being tracked as PR 1410401 which is visible on the Customer Support website.

 

This link will bring to to the PRsearch tool where You need to login with Your Juniper account username & password.

Once the PRsearch page for bug 1410401 opens, there is a section titled "Resolved In" that looks like below (it is unsorted but I added a red color to the relevant row to show You the regular R version with the fix in the 15.1 code branch).

 

Resolved In
Release junos
16.2R2-S10 x
18.2R3 x
18.3R3 x
18.4R2 x
15.1X53-D238 x
16.2R3 x
15.1R8 x
16.1R7-S5 x
19.1R1-S2 x
15.1X49-D180 x
15.1R7-S5 x
15.1X49-D181 x
16.1R4-S13 x
17.4R3 x
17.3R3-S5 x
19.2R2 x
12.3X48-D85 x
15.1F6-S13 x
19.1R2 x

 

HTH

Thx

Alex

 

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Junos

Re: Basic understanding of JunOS security patching

a week ago
I'm still uncertain about the relationship between "Junos" and "Junos SR".

SR is service release - these are generally a version released to more quickly respond to patching specific issues and not a full normal release cycle.  They will address specific listed PR which could be either software bugs or security issues.

 

As Alex notes, when you are looking for the versions that have a specific fix available you get that information from the PR details in that database.

 

As a general upgrade process if you don't have specific issues consult the JTAC current recommended version per platform and then install the most recently posted release in that version chain.

 

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Junos

Re: Basic understanding of JunOS security patching

Wednesday

Thanks a lot for your explanations!

So PR1410401 says that this security issue is resolved in 15.1R8. Unfortunately this version doesn't exist for EX3300 (yet). Will it be released (soon)? If not, should I upgrade to 15.1R7-S5? I don't have "specific issues", my only goal is to fix this security issue.

 

Thanks and greets

Stephan

 

Junos

Re: Basic understanding of JunOS security patching

[ Edited ]
Wednesday

Hello,

 


@Rinklin Naturkost GmbH wrote:

this security issue is resolved in 15.1R8. Unfortunately this version doesn't exist for EX3300 (yet). Will it be released (soon)?

 


 

No it won't. 15.1 code train development was extended only for M/T series

https://support.juniper.net/support/eol/software/junos/#6

 

 


@Rinklin Naturkost GmbH wrote:

If not, should I upgrade to 15.1R7-S5? I don't have "specific issues", my only goal is to fix this security issue.

 

 


 

Then if You want to stick to 15.1 code train, pick another one listed in PR1410401 "Resolved In" section.

If You are willing to explore other JUNOS code trains, pick the one listed in PR1410401 "Resolved In" section _AND_ on JTAC "Recommended Software Versions" page https://kb.juniper.net/InfoCenter/index?page=content&id=KB21476&actp=METADATA

 

HTH

Thx

Alex

 

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Junos

Re: Basic understanding of JunOS security patching

[ Edited ]
Wednesday

@aarseniev wrote:

Then if You want to stick to 15.1 code train, pick another one listed in PR1410401 "Resolved In" section.

If You are willing to explore other JUNOS code trains, pick the one listed in PR1410401 "Resolved In" section _AND_ on JTAC "Recommended Software Versions" page https://kb.juniper.net/InfoCenter/index?page=content&id=KB21476&actp=METADATA

 

uh - the JTAC "Recommended Software Version" is 12.3R12-S12. I'm pretty sure that it was 15.1 some time ago (that was why we upgraded). Can you confirm that it was 15.1, and was corrected later?

Anyway: Should we downgrade to 12.3R12-S12? Is it technically possible?

 

Greets

Stephan