Detections
Analytics

1.1 Ensure Device is running JTAC Recommended Software Release

Information

All JUNOS Devices should run the current JTAC Recommended Release of JUNOS.

Rationale:
As with any software, the JUNOS Operating System installed on Juniper Devices may be subject to Bugs, Updates and Vulnerabilities discovered over time.
Juniper periodically issues software patches available for all Juniper Devices which are currently supported and for which the operating organizations has a valid support contract.
All JUNOS Devices in a production network should be updated and run the current JTAC (Juniper Technical Assistance Center) Recommended Release for the platform, which is specified in Juniper Knowledge Base Article KB21476.
If you have a Login to the Juniper Customer Portal, you can subscribe to this KB Article, so that you receive email alerts whenever the current JTAC Recommended Release is changed or updated.
You should only operate a version other than that listed in KB24176 in a production environment when specifically instructed to do so by JTAC in order to resolve an issue.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Upload the current JTAC Recommended Release to the JUNOS Device in the /var/tmp/ folder.
In most cases an upgrade is performed with the following command, issued from Operational Mode:
user@host> request system software add /var/tmp/<image name>
Where <image name> is the filename of the JUNOS image provided by Juniper.

NOTE - Updating JUNOS Software with this command will result in a reboot of the system and loss of service.
In platforms deployed with redundant Routing Engines, as Virtual Chassis or as HA Clusters, In-Service Software Updates (or ISSU) may be supported. An ISSU update updates and reboots each node or RE separately, failing services on to the other node/RE prior to the reboot.
To perform an ISSU Update, on most platforms, issue the the following command from Operational Mode:
user@host> request system software in-service-upgrade /var/tmp/<image name>

NOTE - The specific procedure and prerequisites for ISSU varies by platform and deployment type. If some prerequisites (such as NSR or GRES) are not correctly configured a loss of service may still occur.
Please refer to the documentation for your platform before attempting to update software.

Impact:
During updates JUNOS Devices reboot to load the new software. In some instances this may result in loss of service. Please refer to the documentation for your platform before attempting to update software.

Default Value:
JUNOS Devices do not always ship with the current JTAC Recommended Release installed.

See Also

https://workbench.cisecurity.org/files/2278

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-8, CSCv7|11.4

Plugin: Juniper

Control ID: e4703b8c16688e605783583f0f99612fef9e5756b8bd0c93da22a60a730e57e9