| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| An Improper Neutralization of Delimiters vulnerability in the UI of Juniper Networks Junos OS and Junos OS Evolved allows a local, authenticated attacker with high privileges to modify the system configuration.
A user with limited configuration and commit permissions, using a specifically crafted annotate configuration command, can change any part of the device configuration.
This issue affects:
Junos OS:
* all versions before 22.2R3-S7,
* 22.4 versions before 22.4R3-S7,
* 23.2 versions before 23.2R2-S4,
* 23.4 versions before 23.4R2-S4,
* 24.2 versions before 24.2R2-S1,
* 24.4 versions before 24.4R1-S2, 24.4R2;
Junos OS Evolved:
* all versions before 22.4R3-S7-EVO,
* 23.2-EVO versions before 23.2R2-S4-EVO,
* 23.4-EVO versions before 23.4R2-S5-EVO,
* 24.2-EVO versions before 24.2R2-S1-EVO
* 24.4-EVO versions before 24.4R2-EVO. |
| An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in the CLI of Juniper Networks Junos OS and Junos OS Evolved allows a high privileged, local attacker to escalated their privileges to root.
When a user provides specifically crafted arguments to the 'request system logout' command, these will be executed as root on the shell, which can completely compromise the device.
This issue affects:
Junos OS:
* all versions before 21.2R3-S9,
* 21.4 versions before 21.4R3-S8,
* 22.2 versions before 22.2R3-S6,
* 22.3 versions before 22.3R3-S3,
* 22.4 versions before 22.4R3-S6,
* 23.2 versions before 23.2R2-S1,
* 23.4 versions before 23.4R1-S2, 23.4R2;
Junos OS Evolved:
* all versions before 22.4R3-S6-EVO,
* 23.2-EVO versions before 23.2R2-S1-EVO,
* 23.4-EVO versions before 23.4R1-S2-EVO, 23.4R2-EVO. |
| A Missing Release of Memory after Effective Lifetime vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows a local, low privileged user to cause an impact to the availability of the device.
When RIB sharding is enabled and a user executes one of several routing related 'show' commands, a certain amount of memory is leaked. When all available memory has been consumed rpd will crash and restart.
The leak can be monitored with the CLI command:
show task memory detail | match task_shard_mgmt_cookie
where the allocated memory in bytes can be seen to continuously increase with each exploitation.
This issue affects:
Junos OS:
* all versions before 21.2R3-S9,
* 21.4 versions before 21.4R3-S11,
* 22.2 versions before 22.2R3-S7,
* 22.4 versions before 22.4R3-S7,
* 23.2 versions before 23.2R2-S4,
* 23.4 versions before 23.4R2-S4,
* 24.2 versions before 24.2R2,
* 24.4 versions before 24.4R1-S2, 24.4R2;
Junos OS Evolved:
* all versions before 22.2R3-S7-EVO
* 22.4-EVO versions before 22.4R3-S7-EVO,
* 23.2-EVO versions before 23.2R2-S4-EVO,
* 23.4-EVO versions before 23.4R2-S4-EVO,
* 24.2-EVO versions before 24.2R2-EVO,
* 24.4-EVO versions before 24.4R2-EVO. |
| A Use of Incorrect Operator
vulnerability in the Routing Engine firewall of Juniper Networks Junos OS Evolved allows an unauthenticated, network-based attacker to bypass security restrictions.
When a firewall filter which is applied to the lo0 or re:mgmt interface references a prefix list with 'from prefix-list', and that prefix list contains more than 10 entries, the prefix list doesn't match and packets destined to or from the local device are not filtered.
This issue affects firewall filters applied to the re:mgmt interfaces as input and output, but only affects firewall filters applied to the lo0 interface as output.
This issue is applicable to IPv4 and IPv6 as a prefix list can contain IPv4 and IPv6 prefixes.
This issue affects Junos OS Evolved:
* 23.2R2-S3-EVO versions before 23.2R2-S4-EVO,
* 23.4R2-S3-EVO versions before 23.4R2-S5-EVO,
* 24.2R2-EVO versions before 24.2R2-S1-EVO,
* 24.4-EVO versions before 24.4R1-S3-EVO, 24.4R2-EVO.
This issue doesn't affect Junos OS Evolved versions before 23.2R1-EVO. |
| A NULL Pointer Dereference vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, network-based attacker to cause impact to the availability of the device.
When static route points to a reject next hop and a gNMI query is processed for that static route, rpd crashes and restarts.
This issue affects:
Junos OS: * all versions before 21.2R3-S9,
* 21.4 versions before 21.4R3-S10,
* 22.2 versions before 22.2R3-S6,
* 22.4 versions before 22.4R3-S6,
* 23.2 versions before 23.2R2-S3,
* 23.4 versions before 23.4R2-S4,
* 24.2 versions before 24.2R1-S2, 24.2R2;
Junos OS Evolved:
* all versions before 22.4R3-S7-EVO,
* 23.2-EVO
versions before 23.2R2-S3-EVO,
* 23.4-EVO versions before 23.4R2-S4-EVO,
* 24.2-EVO versions before 24.2R2-EVO. |
| A UI Discrepancy for Security Feature
vulnerability in the UI of Juniper Networks Junos OS on VM Host systems allows a network-based, unauthenticated attacker to access the device.
On VM Host Routing Engines (RE), even if the configured public key for root has been removed, remote users which are in possession of the corresponding private key can still log in as root.
This issue affects Junos OS:
* all versions before 22.2R3-S7,
* 22.4 versions before 22.4R3-S5,
* 23.2 versions before 23.2R2-S3,
* 23.4 versions before 23.4R2-S3,
* 24.2 versions before 24.2R1-S2, 24.2R2. |
| An Improper Resource Shutdown or Release vulnerability in the SIP ALG of Juniper Networks Junos OS on MX Series with MS-MPC allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS).
When an MX Series device with an MS-MPC is configured with two or more service sets which are both processing SIP calls, a specific sequence of call events will lead to a crash and restart of the MS-MPC.
This issue affects Junos OS:
* all versions before 21.2R3-S9,
* 21.4 versions from 21.4R1,
* 22.2 versions before 22.2R3-S6,
* 22.4 versions before 22.4R3-S6.
As the MS-MPC is EoL after Junos OS 22.4, later versions are not affected.
This issue does not affect MX-SPC3 or SRX Series devices. |
| An Incorrect Calculation vulnerability in the Layer 2 Control
Protocol
Daemon (l2cpd) of Juniper Networks Junos OS Evolved allows an unauthenticated network-adjacent attacker flapping the management interface to cause the learning of new MACs over label-switched interfaces (LSI) to stop while generating a flood of logs, resulting in high CPU usage.
When the issue is seen, the following log message will be generated:
op:1 flag:0x6 mac:xx:xx:xx:xx:xx:xx bd:2 ifl:13302 reason:0(REASON_NONE) i-op:6(INTRNL_OP_HW_FORCE_DELETE) status:10 lstatus:10 err:26(GETIFBD_VALIDATE_FAILED) err-reason 4(IFBD_VALIDATE_FAIL_EPOCH_MISMATCH) hw_wr:0x4 ctxsync:0 fwdsync:0 rtt-id:51 p_ifl:0 fwd_nh:0 svlbnh:0 event:- smask:0x100000000 dmask:0x0 mplsmask 0x1 act:0x5800 extf:0x0 pfe-id 0 hw-notif-ifl 13302 programmed-ifl 4294967295 pseudo-vtep underlay-ifl-idx 0 stack:GET_MAC, ALLOCATE_MAC, GET_IFL, GET_IFF, GET_IFBD, STOP,
This issue affects Junos OS Evolved:
* all versions before 21.4R3-S7-EVO,
* from 22.2 before 22.2R3-S4-EVO,
* from 22.3 before 22.3R3-S3-EVO,
* from 22.4 before 22.4R3-S2-EVO,
* from 23.2 before 23.2R2-S1-EVO,
* from 23.4 before 23.4R1-S2-EVO, 23.4R2-EVO. |
| An Improper Check or Handling of Exceptional Conditions vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, adjacent attacker to cause a Denial of Service (DoS).
If an attacker sends a specific MPLS packet, which upon processing, causes an internal loop, that leads to a PFE crash and restart. Continued receipt of these packets leads to a sustained Denial of Service (DoS) condition.
Circuit cross-connect (CCC) needs to be configured on the device for it to be affected by this issue.
This issue only affects MX Series with MPC10, MPC11, LC9600, and MX304.
This issue affects:
Juniper Networks Junos OS
21.4 versions from 21.4R3 earlier than 21.4R3-S5;
22.2 versions from 22.2R2 earlier than 22.2R3-S2;
22.3 versions from 22.3R1 earlier than 22.3R2-S2;
22.3 versions from 22.3R3 earlier than 22.3R3-S1
22.4 versions from 22.4R1 earlier than 22.4R2-S2, 22.4R3;
23.2 versions earlier than 23.2R1-S1, 23.2R2. |
| A Cleartext Storage in a File on Disk vulnerability in Juniper Networks Junos OS Evolved ACX Series devices using the Paragon Active Assurance Test Agent software installed on network devices allows a local, authenticated attacker with high privileges to read all other users login credentials.
This issue affects only Juniper Networks Junos OS Evolved ACX Series devices using the Paragon Active Assurance Test Agent software installed on these devices from 23.1R1-EVO through 23.2R2-EVO.
This issue does not affect releases before 23.1R1-EVO. |
| An Improper Isolation or Compartmentalization vulnerability in the Packet Forwarding Engine (pfe) of Juniper Networks Junos OS on QFX5000 Series and EX Series allows an unauthenticated, adjacent attacker to cause a Denial of Service (DoS).
If a specific malformed LACP packet is received by a QFX5000 Series, or an EX4400, EX4100 or EX4650 Series device, an LACP flap will occur resulting in traffic loss.
This issue affects Junos OS on QFX5000 Series, and on EX4400, EX4100 or EX4650 Series:
* 20.4 versions from
20.4R3-S4
before 20.4R3-S8,
* 21.2 versions from
21.2R3-S2
before 21.2R3-S6,
* 21.4 versions from
21.4R2
before 21.4R3-S4,
* 22.1 versions from
22.1R2
before 22.1R3-S3,
* 22.2 versions before 22.2R3-S1,
* 22.3 versions before 22.3R2-S2, 22.3R3,
* 22.4 versions before 22.4R2-S1, 22.4R3. |
| A Stack-based Buffer Overflow vulnerability in Flow Processing Daemon (flowd) of Juniper Networks Junos OS allows an unauthenticated, network-based attacker to cause Denial of Service (DoS).
On all Junos OS MX Series platforms with SPC3 and MS-MPC/-MIC, when URL filtering is enabled and a specific URL request is received and processed, flowd will crash and restart. Continuous reception of the specific URL request will lead to a sustained Denial of Service (DoS) condition.
This issue affects:
Junos OS:
* all versions before 21.2R3-S6,
* from 21.3 before 21.3R3-S5,
* from 21.4 before 21.4R3-S5,
* from 22.1 before 22.1R3-S3,
* from 22.2 before 22.2R3-S1,
* from 22.3 before 22.3R2-S2, 22.3R3,
* from 22.4 before 22.4R2-S1, 22.4R3. |
| An Out-of-bounds Read vulnerability in the advanced forwarding management process aftman of Juniper Networks Junos OS on MX Series with MPC10E, MPC11, MX10K-LC9600 line cards, MX304, and EX9200-15C, may allow an attacker to exploit a stack-based buffer overflow, leading to a reboot of the FPC.
Through code review, it was determined that the interface definition code for aftman could read beyond a buffer boundary, leading to a stack-based buffer overflow.
This issue affects Junos OS on MX Series and EX9200-15C:
* from 21.2 before 21.2R3-S1,
* from 21.4 before 21.4R3,
* from 22.1 before 22.1R2,
* from 22.2 before 22.2R2;
This issue does not affect:
* versions of Junos OS prior to 20.3R1;
* any version of Junos OS 20.4. |
| An Improper Handling of Exceptional Conditions vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows a logically adjacent downstream RSVP neighbor to cause kernel memory exhaustion, leading to a kernel crash, resulting in a Denial of Service (DoS).
The kernel memory leak and eventual crash will be seen when the downstream RSVP neighbor has a persistent error which will not be corrected.
System kernel memory can be monitored through the use of the 'show system kernel memory' command as shown below:
user@router> show system kernel memory
Real memory total/reserved: 4130268/ 133344 Kbytes
kmem map free: 18014398509110220 Kbytes
This issue affects:
Junos OS:
* All versions before 20.4R3-S9,
* All versions of 21.2,
* from 21.4 before 21.4R3-S5,
* from 22.1 before 22.1R3-S5,
* from 22.2 before 22.2R3-S3,
* from 22.3 before 22.3R3-S2,
* from 22.4 before 22.4R3,
* from 23.2 before 23.2R2;
Junos OS Evolved:
* All versions before 21.4R3-S5-EVO,
* from 22.1-EVO before 22.1R3-S5-EVO,
* from 22.2-EVO before 22.2R3-S3-EVO,
* from 22.3-EVO before 22.3R3-S2-EVO,
* from 22.4-EVO before 22.4R3-EVO,
* from 23.2-EVO before 23.2R2-EVO. |
| An Improper Check for Unusual or Exceptional Conditions vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on SRX Series and NFX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS).
If an affected device receives specific valid traffic destined to the device, it will cause the PFE to crash and restart. Continued receipt and processing of this traffic will create a sustained DoS condition.
This issue affects Junos OS on SRX Series:
* 21.4 versions before 21.4R3-S7.9,
* 22.1 versions before 22.1R3-S5.3,
* 22.2 versions before 22.2R3-S4.11,
* 22.3 versions before 22.3R3,
* 22.4 versions before 22.4R3.
This issue affects Junos OS on NFX Series:
* 21.4 versions before 21.4R3-S8,
* 22.1 versions after 22.1R1,
* 22.2 versions before 22.2R3-S5,
* 22.3 versions before 22.3R3,
* 22.4 versions before 22.4R3.
Junos OS versions prior to 21.4R1 are not affected by this issue. |
| An Insertion of Sensitive Information into Log File vulnerability in Juniper Networks Junos OS and Junos OS Evolved allows a local, authenticated attacker with high privileges to access sensitive information.
When another user performs a specific operation, sensitive information is stored as plain text in a specific log file, so that a high-privileged attacker has access to this information.
This issue affects:
Junos OS:
* All versions before 21.2R3-S9;
*
21.4 versions before 21.4R3-S9;
* 22.2 versions before 22.2R2-S1, 22.2R3;
* 22.3 versions before 22.3R1-S1, 22.3R2;
Junos OS Evolved:
* All versions before before 22.1R3-EVO;
* 22.2-EVO versions before 22.2R2-S1-EVO, 22.2R3-EVO;
* 22.3-EVO versions before 22.3R1-S1-EVO, 22.3R2-EVO. |
| An Improper Handling of Values vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS Evolved on ACX 7000 Series allows a network-based, unauthenticated attacker to cause a Denial-of-Service (DoS).
If a value is configured for DDoS bandwidth or burst parameters for any protocol in
a queue, all protocols which share the same queue will have
their bandwidth or burst value changed to the new value. If, for example, OSPF was configured with a certain bandwidth value, ISIS would also be limited to this value. So inadvertently either the control plane is open for a high level of specific traffic which was supposed to be limited to a lower value, or the limit for a certain protocol is so low that chances to succeed with a volumetric DoS attack are significantly increased.
This issue affects Junos OS Evolved on ACX 7000 Series:
* All versions before 21.4R3-S7-EVO,
* 22.1 versions before 22.1R3-S6-EVO,
* 22.2 versions before 22.2R3-S3-EVO,
* 22.3 versions before 22.3R3-S3-EVO,
* 22.4 versions before 22.4R3-S2-EVO,
* 23.2 versions before 23.2R2-EVO,
* 23.4
versions
before 23.4R1-S1-EVO, 23.4R2-EVO. |
| An Improper Neutralization of Data within XPath Expressions ('XPath Injection') vulnerability in J-Web shipped with Juniper Networks Junos OS allows an unauthenticated, network-based attacker to execute remote commands on the target device.
While an administrator is logged into a J-Web session or has previously logged in and subsequently logged out of their J-Web session, the attacker can arbitrarily execute commands on the target device with the other user's credentials. In the worst case, the attacker will have full control over the device.
This issue affects Junos OS:
* All versions before 21.2R3-S8,
* from 21.4 before 21.4R3-S7,
* from 22.2 before 22.2R3-S4,
* from 22.3 before 22.3R3-S3,
* from 22.4 before 22.4R3-S2,
* from 23.2 before 23.2R2,
* from 23.4 before 23.4R1-S1, 23.4R2. |
| A Missing Release of Memory after Effective Lifetime vulnerability in the Periodic Packet Management Daemon (ppmd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated adjacent attacker to cause a
Denial-of-Service (DoS).
When a BFD session configured with authentication flaps, ppmd memory can leak. Whether the leak happens depends on a race condition which is outside the attackers control. This issue only affects BFD operating in distributed aka delegated (which is the default behavior) or inline mode.
Whether the leak occurs can be monitored with the following CLI command:
> show ppm request-queue
FPC Pending-request
fpc0 2
request-total-pending: 2
where a continuously increasing number of pending requests is indicative of the leak.
This issue affects:
Junos OS:
* All versions before 21.2R3-S8,
* 21.4 versions before 21.4R3-S7,
* 22.1 versions before 22.1R3-S4,
* 22.2 versions before 22.2R3-S4,
* 22.3 versions before 22.3R3,
* 22.4 versions before 22.4R2-S2, 22.4R3.
Junos OS Evolved:
* All versions before 21.2R3-S8-EVO,
* 21.4-EVO versions before 21.4R3-S7-EVO,
* 22.2-EVO versions before 22.2R3-S4-EVO,
* 22.3-EVO versions before 22.3R3-EVO,
* 22.4-EVO versions before 22.4R3-EVO. |
| An Improper Check for Unusual or Exceptional Conditions vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS Evolved on ACX 7000 Series allows an unauthenticated, adjacent attacker to cause a Denial-of-Service (DoS).
When a device has a Layer 3 or an IRB interface configured in a VPLS instance and specific traffic is received, the evo-pfemand processes crashes which causes a service outage for the respective FPC until the system is recovered manually.
This issue only affects Junos OS Evolved 22.4R2-S1 and 22.4R2-S2 releases and is fixed in 22.4R3. No other releases are affected. |
