15 Apr 2014

Juniper Networks addresses "Heartbleed" issue


Various products: Please see the list in the problem section


The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information (such as private keys, username and passwords, or contents of encrypted traffic) from process memory via crafted packets that trigger a buffer over-read. This issue is also known as The Heartbleed Bug.

Status of different OpenSSL versions:

OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable

OpenSSL 1.0.1g is NOT vulnerable

OpenSSL 1.0.0 branch is NOT vulnerable

OpenSSL 0.9.8 branch is NOT vulnerable

Vulnerable Products

Junos OS 13.3R1

Odyssey client 5.6r5 and later

SSL VPN (IVEOS) 7.4r1 and later, and SSL VPN (IVEOS) 8.0r1 and later (Fixed code is listed in the "Solution" section)

UAC 4.4r1 and later, and UAC 5.0r1 and later (Fixed code is listed in the "Solution" section)

Junos Pulse (Desktop) 5.0r1 and later, and Junos Pulse (Desktop) 4.0r5 and later

Network Connect (windows only) version 7.4R5 to 7.4R9.1 & 8.0R1 to 8.0R3.1. (This client is only impacted when used in FIPS mode.)

Junos Pulse (Mobile) on Android version 4.2R1 and higher.

Junos Pulse (Mobile) on iOS version 4.2R1 and higher. (This client is only impacted when used in FIPS mode.)

Products Not Vulnerable

Junos OS 13.2 and earlier is not vulnerable

Non-FIPS version of Network Connect clients are not vulnerable

SSL VPN (IVEOS) 7.3, 7.2, and 7.1 are not vulnerable

SRX Series is not vulnerable

Junos Space is not vulnerable

NSM is not vulnerable

Pulse 4.0r4 and earlier is not vulnerable

QFabric Director is not vulnerable

CTPView is not vulnerable

vGW/FireFly Host is not vulnerable

Firefly Perimeter is not vulnerable

ScreenOS is not vulnerable

UAC 4.3, 4.2, and 4.1 are not vulnerable

JUNOSe is not vulnerable

Odyssey client 5.6r4 and earlier are not vulnerable

Junos Pulse (Mobile) on iOS (Non-FIPS Mode)

WX-Series is not vulnerable

Junos DDoS Secure is not vulnerable

STRM/JSA is not vulnerable

WebApp Secure is not vulnerable

Media Flow Controller is not vulnerable

SBR Carrier is not vulnerable

SBR Enterprise is not vulnerable

Junos Pulse Mobile Security Suite is not vulnerable

SRC Series is not vulnerable

Junos Pulse Endpoint Profiler is not vulnerable

Smart Pass is not vulnerable

Ring Master is not vulnerable

ADC is not vulnerable

Products currently under investigation

Stand Alone IDP

Juniper continues to investigate this issue and as new information becomes available this document will be updated.

This issue has been assigned CVE-2014-0160.


We are working around the clock to provide fixed versions of code for our affected products.

For more information regarding specific products please find productcodes and links below:


Juniper Networks has released IVEOS 8.0R3.2 and 7.4R9.2. For more information surrounding this issue for this platform please see KB:


Juniper Networks will release (ETA April 10th, 2014) UAC 5.0r3.2. For more information surrounding this issue for this platform please see KB:


Junos OS 13.3R1.6, 13.3R1.7, and 13.3R1-S1 have been recalled and will be re-released with fixes to resolve this issue.

IDP Signatures:

Juniper has released signatures to detect this issue:

Sigpack 2362 released:

SSL: OpenSSL TLS DTLS Heartbeat Information Disclosure:

Note: This advisory will be updated with fixed software versions as they are made available to our customers.

KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies.



Since SSL is used for remote network configuration and management applications such as J-Web and SSL Service for JUNOScript (XNM-SSL), viable workarounds for this issue in Junos may include:

Disabling J-Web

Disable SSL service for JUNOScript and only use Netconf, which makes use of SSH, to make configuration changes

Limit access to J-Web and XNM-SSL from only trusted networks


Other than downgrading to an unaffected release, there are no workarounds for this issue.



OpenSSL Security Advisory


9.4 (AV:N/AC:L/Au:N/C:C/I:C/A:N)




We consider this to be a critical issue. The sensitive information potentially exposed by this issue can be leveraged to further compromise the system. Exploits are known to exist in the wild. Information for how Juniper Networks uses CVSS can be found at KB16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."