CVE-2022-22152
📋 TL;DR
This CVE-2022-22152 is a protection mechanism failure in Juniper Contrail Service Orchestration's REST API that allows one tenant to view another tenant's confidential configuration details. Affected systems include firewall configurations, access control policies, and other sensitive information, potentially reducing defenses against attacks. This affects Juniper Contrail Service Orchestration versions prior to 6.1.0 Patch 3.
💻 Affected Systems
- Juniper Networks Contrail Service Orchestration
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Tenant obtains another tenant's firewall rules and access policies, enabling targeted attacks, lateral movement, or exploitation of additional vulnerabilities in the exposed tenant's environment.
Likely Case
Tenant gains unauthorized visibility into another tenant's security configurations, potentially identifying weaknesses or sensitive network information for reconnaissance purposes.
If Mitigated
With proper network segmentation and API access controls, impact is limited to information disclosure within the same administrative domain.
🎯 Exploit Status
Exploitation requires tenant-level access to the REST API. The vulnerability is in the API's tenant isolation mechanism.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.1.0 Patch 3 or later
Vendor Advisory: https://kb.juniper.net/JSA11260
Restart Required: Yes
Instructions:
1. Download patch from Juniper support portal. 2. Backup current configuration. 3. Apply patch following Juniper's upgrade procedures. 4. Restart affected services or system as required.
🔧 Temporary Workarounds
Restrict API Access
allLimit REST API access to trusted networks and implement strict access controls between tenants.
Network Segmentation
allImplement network segmentation to isolate tenant traffic and API endpoints.
🧯 If You Can't Patch
- Implement strict network segmentation between tenant environments
- Monitor REST API access logs for unauthorized cross-tenant requests
🔍 How to Verify
Check if Vulnerable:
Check Contrail Service Orchestration version via admin interface or CLI. Versions prior to 6.1.0 Patch 3 are vulnerable.Check Version:
show version (via CLI) or check admin dashboardVerify Fix Applied:
Verify version is 6.1.0 Patch 3 or later and test tenant isolation via API requests.📡 Detection & Monitoring
Log Indicators:
- Unusual cross-tenant API requests
- Access to other tenant's configuration endpoints
- Failed authorization attempts for tenant-specific resources
Network Indicators:
- API requests accessing multiple tenant IDs from single source
- Unusual patterns in REST API traffic between tenants
SIEM Query:
source_ip=* AND (uri_path CONTAINS "/tenant/" OR uri_path CONTAINS "/config/") AND status_code=200 AND user_agent="*" | stats count by source_ip, uri_path