CVE-2023-36847

What is Juniper Junos OS J-Web?

Juniper Junos OS is the operating system running Juniper EX Series switches. J-Web is the browser-accessible PHP management interface for Junos OS devices. The installAppPackage.php endpoint is part of J-Web's package management functionality for installing software packages on the switch. Missing authentication on this endpoint allows unauthenticated attackers to upload files, which is the file-upload stage of a pre-auth RCE chain when combined with CVE-2023-36844's PHP environment variable modification capability.

Overview

CVE-2023-36847 is a missing authentication for a critical function vulnerability (CWE-306) in the Juniper Junos OS J-Web interface on EX Series switches. The installAppPackage.php endpoint does not require authentication, allowing an unauthenticated remote attacker to upload arbitrary files via J-Web. Like CVE-2023-36846 (the SRX companion), this provides the file-upload stage of a pre-auth RCE chain when combined with CVE-2023-36844.

All five companion J-Web vulnerabilities were disclosed in Juniper's August 17, 2023 out-of-cycle bulletin and added to CISA KEV together on November 13, 2023.

Affected Versions

Technical Details

The installAppPackage.php endpoint's missing authentication (CWE-306) allows any unauthenticated HTTP request to trigger a file write operation to a filesystem path managed by J-Web. In the combined exploit chain:

1. Upload a PHP webshell (CVE-2023-36847) — POST a PHP file to the installAppPackage.php endpoint without authentication; the file is written to the J-Web accessible filesystem
2. Modify PHP environment variables (CVE-2023-36844) — manipulate PHP env vars to control how J-Web handles subsequent PHP execution, pointing it to include or auto-prepend the uploaded file
3. Execute the webshell — the combination results in the uploaded PHP code being evaluated in the J-Web PHP context

The EX Series chain uses CVE-2023-36847 as the file-upload stage, while the SRX chain uses CVE-2023-36846 (user.php) or CVE-2023-36851 (webauth_operation.php).

Exploitation Context

Compromised EX Series switches provide an attacker access to the switch's management plane — enabling VLAN manipulation, spanning tree attacks, and port mirroring for traffic capture across all connected hosts in the switched environment. Enterprise switches are high-value targets because a single compromised switch can provide visibility into all traffic from the dozens or hundreds of hosts connected to it.

Remediation

1. Apply the Juniper August 2023 out-of-cycle patch — upgrade to fixed Junos OS versions; the patch addresses all five companion J-Web CVEs including CVE-2023-36844.
2. Disable J-Web on EX Series switches — switches are typically managed via SSH CLI; disable J-Web to eliminate the web-based attack surface entirely.
3. Restrict J-Web to management VLANs — if J-Web must remain enabled, enforce firewall filters to allow J-Web access only from designated management subnets.
4. Inspect logs for unauthenticated POSTs to installAppPackage.php as indicators of exploitation attempts.