CVE-2023-36844

What is Juniper Junos OS J-Web?

Juniper Junos OS is the operating system powering Juniper Networks' EX Series switches, SRX Series firewalls, and other network devices. J-Web is Junos OS's web-based management interface, providing a browser-accessible GUI for device configuration, monitoring, and administration. J-Web runs a PHP-based web application that handles all administrative web UI requests. Because J-Web is frequently deployed on internet-facing management ports, vulnerabilities in the J-Web PHP application — particularly unauthenticated ones — are high-value targets for network infrastructure compromise.

Overview

CVE-2023-36844 is a PHP external variable modification vulnerability (CWE-473) in the Juniper Junos OS J-Web interface on EX Series switches. Using a crafted request, an unauthenticated remote attacker can modify certain PHP environment variables in the J-Web application context, leading to partial integrity impact. While the individual CVSS score (5.3) seems moderate, CVE-2023-36844 is critically significant as part of a chained pre-authentication RCE attack when combined with companion file upload vulnerabilities: CVE-2023-36846 and CVE-2023-36847 (file uploads on SRX and EX respectively) and CVE-2023-36851 (file upload on SRX). When chained, the combined exploit has a 9.8 (Critical) severity — enabling unauthenticated remote code execution on J-Web-enabled devices.

Juniper issued an out-of-cycle security bulletin on August 17, 2023 addressing all five vulnerabilities. CISA added CVE-2023-36844 to the KEV catalog on November 13, 2023.

Affected Versions

Note: If J-Web is not enabled, the device is not exposed to this vulnerability.

Technical Details

PHP external variable modification (CWE-473) occurs when a web application allows external input — typically HTTP request parameters or headers — to modify PHP configuration variables or environment values that should be internal. In J-Web, an unauthenticated HTTP request can set or override certain PHP environment variables that influence how the J-Web application processes subsequent requests.

The exploitation chain combining CVE-2023-36844 with companion file upload vulnerabilities works as follows:

1. Attacker modifies PHP environment variables (CVE-2023-36844) — the crafted request manipulates PHP env vars in a way that influences file handling behavior, such as changing include paths, auto-prepend file settings, or file upload handling parameters
2. Attacker uploads a malicious PHP file (CVE-2023-36846, CVE-2023-36847, or CVE-2023-36851) — a separate request exploits a missing-authentication file upload endpoint to write a PHP webshell to the filesystem
3. Attacker triggers execution — the modified PHP environment from step 1 causes the uploaded file to be included or executed in the J-Web PHP context, achieving code execution as the J-Web web server process

Each individual vulnerability has limited standalone impact; the combination achieves unauthenticated RCE.

Discovery

Juniper issued the August 17, 2023 out-of-cycle bulletin after detecting and disclosing this vulnerability cluster. The three-month gap between Juniper's bulletin and CISA KEV addition (November 13, 2023) reflects exploitation being detected in the wild after the patch release — with threat actors targeting unpatched internet-facing J-Web interfaces.

Exploitation Context

Internet-facing network device management interfaces are persistent exploitation targets because network devices:

• Often run for years between major software upgrades
• Provide a privileged network vantage point for traffic interception, routing manipulation, and lateral movement
• Are sometimes excluded from standard vulnerability management programs focused on servers and endpoints

The chained J-Web pre-auth RCE was actively exploited against enterprise and service provider Juniper EX and SRX devices. Successful exploitation gives attackers code execution in the J-Web web server context, from which they can pivot to the underlying Junos shell.

Remediation

1. Upgrade to fixed Junos OS versions — apply the versions listed in the affected/fixed table above; these were released in Juniper's August 2023 out-of-cycle bulletin.
2. Disable J-Web if not required — if web-based management is not needed, disable J-Web entirely; CLI-based management via SSH is not affected.
3. Restrict J-Web access — if J-Web must remain enabled, restrict it to trusted management networks via firewall policies; the J-Web interface should never be internet-accessible.
4. Review J-Web access logs for unauthorized connections or unusual HTTP requests to J-Web endpoints that may indicate prior exploitation attempts.
5. Apply Juniper's full patch — the out-of-cycle bulletin addressed all five companion CVEs (36844, 36845, 36846, 36847, 36851) in the same update; ensure the full patch is applied.