1.1 Ensure Device is running Current Junos Software

Information

All JUNOS Devices should run the current Recommended Release of JUNOS.

Rationale:

As with any software, the JUNOS Operating System installed on Juniper Devices may be subject to Bugs, Instabilities and Security Vulnerabilities discovered over time.

Juniper periodically issues software patches for all Juniper Devices which are currently supported, and for which the operating organization has a valid support contract.

All JUNOS Devices in a production network should be kept up to date based on Security Advisories issued by the Juniper Networks Security Incident Response Team (SIRT).

SIRT publishes non-urgent Security Bulletins on a predefined quarterly schedule, but may also issue out-of-cycle Security Advisories in response to more urgent events such as malicious exploitation of Zero Day vulnerabilities, as described in Juniper Knowledge Base Article KB16613.

A list of Security Advisories can be viewed on the Juniper Knowledge Base here or as an RSS Feed here. No login is required, but additional information is available to users with a Juniper CSC or SSO account.

If you have a Login to the Juniper Customer Portal, you can Subscribe to Knowledge Base articles or to SIRT Security Advisories for your platform/s by going to the Manage My Subscriptions section. You can also subscribe the RSS Feed to be notified of new Security Advisories without any login being required.

Organizations which utilize the Junos Space central management platform can use Service Insight to get proactive notifications for SIRT Advisories and End of Life Notifications impacting their managed, supported systems.

All administrators responsible for management of Junos devices should ensure that they have a process to keep up to date on SIRT Security Advisories and apply necessary patches in a timely manner.

For new device deployments, Juniper provide a regularly update list of supported Junos Software called the Junos Software Versions - Suggested Releases to Consider and Evaluate (formally known as the JTAC Recommended Release).

The Suggested Release is specified for each currently supported platform in Juniper Knowledge Base Article KB21476 and is intended as a starting point to help customers select a Junos Software version that meets their deployment needs and can be readily supported by JTAC should assistance be required.

The Junos Software Versions - Suggested Releases to Consider and Evaluate Knowledge Base article is regularly updated by Juniper and typically reflects current Security Advisories at the time of posting, but it is strongly recommended that administrators using the Suggested Releases as a starting point should always check for any subsequent Security Advisories which may have been issued in the interim to select the best version to deploy.

Impact:

During updates JUNOS Devices reboot to load the new software. In some instances this may result in loss of service. Please refer to the documentation for your platform before attempting to update software.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Software patching procedures may vary between different platforms or organizations and can be accomplished using the CLI, the JWeb GUI, centrally through Junos Space or other management platforms.
To update a standalone JUNOS Device through the CLI, first upload the desired software image (downloaded from Juniper or your Support Partner) to the JUNOS Device in the /var/tmp/ folder.
In most cases an upgrade is performed with the following command, issued from Operational Mode:

user@host> request system software add /var/tmp/<image name>

Where <image name> is the filename of the JUNOS image provided by Juniper.
NOTE - Updating JUNOS Software with this command will result in a reboot of the system and loss of service.
In platforms deployed with redundant Routing Engines, as Virtual Chassis or as HA Clusters, an In-Service Software Updates (or ISSU) may be supported. An ISSU update updates and reboots each node or RE separately, failing services on to the other node/RE prior to the reboot.
To perform an ISSU Update, on most platforms, issue the following command from Operational Mode:

user@host> request system software in-service-upgrade /var/tmp/<image name>

NOTE - The specific procedure and prerequisites for ISSU varies by platform and deployment type. If some prerequisites (such as NSR or GRES) are not correctly configured a loss of service may still occur.
Please refer to the documentation for your platform and network enviroment before attempting to update software.

Default Value:

JUNOS Devices do not always ship with the current JTAC Recommended Release or latest Software Patches installed.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-2c., CSCv7|11.4

Plugin: Juniper

Control ID: 8504e966e7f6375bf0a1b2ad95082d911caf963bae95bf7798ab3ba6572e70d9