CVE-2023-28971

Name of the Vulnerable Software and Affected Versions Juniper Networks Paragon Active Assurance versions prior to 4.1.2

Description An issue in the timescaledb feature of Juniper Networks Paragon Active Assurance allows an attacker to bypass existing firewall rules and limitations used to restrict internal communications. The Test Agents Appliance connects to the Control Center using OpenVPN, with Test Agents assigned an internal IP address in the 100.70.0.0/16 range. Firewall rules limit communication from Test Agents to the Control Center to specific services only. However, when the timescaledb container is started, it bypasses the existing firewall rules and limitations for Test Agent communications. This issue only affects customers hosting their own on-prem Control Center, as the Paragon Active Assurance Software as a Service is not affected since the timescaledb service is not enabled.

Recommendations For versions prior to 4.1.2, update to version 4.1.2 or later to resolve the issue. As a temporary workaround, consider disabling the timescaledb feature until a patch is available. Restrict access to the timescaledb container to minimize the risk of exploitation. Avoid using the timescaledb service in the affected Control Center application until the issue is resolved.