On EX4300 Series switches with TCAM optimization enabled, incoming multicast traffic matches an implicit loopback filter rule first, since it has high priority. This rule is meant for reserved multicast addresses 224.0.0.x, but incorrectly matches on 224.x.x.x. Due to this bug, when a firewall filter is applied on the loopback interface, other firewall filters might stop working for multicast traffic. The command 'show firewall filter' can be used to confirm whether the filter is working. This issue only affects the EX4300 switch. No other products or platforms are affected by this vulnerability. This issue affects: Juniper Networks Junos OS: 14.1X53 versions prior to 14.1X53-D51, 14.1X53-D115 on EX4300 Series; 17.1 versions prior to 17.1R3 on EX4300 Series; 17.2 versions prior to 17.2R3-S2 on EX4300 Series; 17.3 versions prior to 17.3R3-S3 on EX4300 Series; 17.4 versions prior to 17.4R2-S5, 17.4R3 on EX4300 Series; 18.1 versions prior to 18.1R3-S1 on EX4300 Series; 18.2 versions prior to 18.2R2 on EX4300 Series; 18.3 versions prior to 18.3R2 on EX4300 Series.
CVSS Score
5.8
EPSS Score
0.002
Published
2019-07-11
On Junos devices with the BGP graceful restart helper mode enabled or the BGP graceful restart mechanism enabled, a certain sequence of BGP session restart on a remote peer that has the graceful restart mechanism enabled may cause the local routing protocol daemon (RPD) process to crash and restart. Repeated crashes of the RPD process can cause prolonged Denial of Service (DoS). Graceful restart helper mode for BGP is enabled by default. No other Juniper Networks products or platforms are affected by this issue. Affected releases are Juniper Networks Junos OS: 16.1 versions prior to 16.1R7-S3; 16.2 versions prior to 16.2R2-S9; 17.1 versions prior to 17.1R3; 17.2 versions prior to 17.2R3; 17.2X75 versions prior to 17.2X75-D105; 17.3 versions prior to 17.3R3-S2; 17.4 versions prior to 17.4R1-S7, 17.4R2-S2, 17.4R3; 18.1 versions prior to 18.1R3-S2; 18.2 versions prior to 18.2R2; 18.2X75 versions prior to 18.2X75-D12, 18.2X75-D30; 18.3 versions prior to 18.3R1-S4, 18.3R2. Junos OS releases prior to 16.1R1 are not affected.
CVSS Score
7.5
EPSS Score
0.005
Published
2019-07-11
The srxpfe process may crash on SRX Series services gateways when the UTM module processes a specific fragmented HTTP packet. The packet is misinterpreted as a regular TCP packet which causes the processor to crash. This issue affects all SRX Series platforms that support URL-Filtering and have web-filtering enabled. Affected releases are Juniper Networks Junos OS: 12.3X48 versions prior to 12.3X48-D85 on SRX Series; 15.1X49 versions prior to 15.1X49-D181, 15.1X49-D190 on SRX Series; 17.3 versions on SRX Series; 17.4 versions prior to 17.4R1-S8, 17.4R2-S5, 17.4R3 on SRX Series; 18.1 versions prior to 18.1R3-S6 on SRX Series; 18.2 versions prior to 18.2R2-S1, 18.2R3 on SRX Series; 18.3 versions prior to 18.3R1-S2, 18.3R2 on SRX Series; 18.4 versions prior to 18.4R1-S1, 18.4R2 on SRX Series.
CVSS Score
7.5
EPSS Score
0.004
Published
2019-07-11
Insufficient validation of environment variables in the telnet client supplied in Junos OS can lead to stack-based buffer overflows, which can be exploited to bypass veriexec restrictions on Junos OS. A stack-based overflow is present in the handling of environment variables when connecting via the telnet client to remote telnet servers. This issue only affects the telnet client — accessible from the CLI or shell — in Junos OS. Inbound telnet services are not affected by this issue. This issue affects: Juniper Networks Junos OS: 12.3 versions prior to 12.3R12-S13; 12.3X48 versions prior to 12.3X48-D80; 14.1X53 versions prior to 14.1X53-D130, 14.1X53-D49; 15.1 versions prior to 15.1F6-S12, 15.1R7-S4; 15.1X49 versions prior to 15.1X49-D170; 15.1X53 versions prior to 15.1X53-D237, 15.1X53-D496, 15.1X53-D591, 15.1X53-D69; 16.1 versions prior to 16.1R3-S11, 16.1R7-S4; 16.2 versions prior to 16.2R2-S9; 17.1 versions prior to 17.1R3; 17.2 versions prior to 17.2R1-S8, 17.2R2-S7, 17.2R3-S1; 17.3 versions prior to 17.3R3-S4; 17.4 versions prior to 17.4R1-S6, 17.4R2-S3, 17.4R3; 18.1 versions prior to 18.1R2-S4, 18.1R3-S3; 18.2 versions prior to 18.2R1-S5, 18.2R2-S2, 18.2R3; 18.2X75 versions prior to 18.2X75-D40; 18.3 versions prior to 18.3R1-S3, 18.3R2; 18.4 versions prior to 18.4R1-S2, 18.4R2.
CVSS Score
7.8
EPSS Score
0.001
Published
2019-07-11
A certain sequence of valid BGP or IPv6 BFD packets may trigger a stack based buffer overflow in the Junos OS Packet Forwarding Engine manager (FXPC) process on QFX5000 series, EX4300, EX4600 devices. This issue can result in a crash of the fxpc daemon or may potentially lead to remote code execution. Affected releases are Juniper Networks Junos OS on QFX 5000 series, EX4300, EX4600 are: 14.1X53; 15.1X53 versions prior to 15.1X53-D235; 17.1 versions prior to 17.1R3; 17.2 versions prior to 17.2R3; 17.3 versions prior to 17.3R3-S2, 17.3R4; 17.4 versions prior to 17.4R2-S1, 17.4R3; 18.1 versions prior to 18.1R3-S1, 18.1R4; 18.2 versions prior to 18.2R2; 18.2X75 versions prior to 18.2X75-D30; 18.3 versions prior to 18.3R2.
CVSS Score
9.8
EPSS Score
0.048
Published
2019-04-10
When "set system ports console insecure" is enabled, root login is disallowed for Junos OS as expected. However, the root password can be changed using "set system root-authentication plain-text-password" on systems booted from an OAM (Operations, Administration, and Maintenance) volume, leading to a possible administrative bypass with physical access to the console. OAM volumes (e.g. flash drives) are typically instantiated as /dev/gpt/oam, or /oam for short. Password recovery, changing the root password from a console, should not have been allowed from an insecure console. Affected releases are Juniper Networks Junos OS: 15.1 versions prior to 15.1F6-S12, 15.1R7-S3; 15.1X49 versions prior to 15.1X49-D160; 15.1X53 versions prior to 15.1X53-D236, 15.1X53-D496, 15.1X53-D68; 16.1 versions prior to 16.1R3-S10, 16.1R6-S6, 16.1R7-S3; 16.1X65 versions prior to 16.1X65-D49; 16.2 versions prior to 16.2R2-S8; 17.1 versions prior to 17.1R2-S10, 17.1R3; 17.2 versions prior to 17.2R1-S8, 17.2R3-S1; 17.3 versions prior to 17.3R3-S3; 17.4 versions prior to 17.4R1-S6, 17.4R2-S2; 18.1 versions prior to 18.1R2-S4, 18.1R3-S3; 18.2 versions prior to 18.2R2; 18.2X75 versions prior to 18.2X75-D40; 18.3 versions prior to 18.3R1-S2. This issue does not affect Junos OS releases prior to 15.1.
CVSS Score
6.8
EPSS Score
0.0
Published
2019-04-10
When configuring a stateless firewall filter in Junos OS, terms named using the format "internal-n" (e.g. "internal-1", "internal-2", etc.) are silently ignored. No warning is issued during configuration, and the config is committed without error, but the filter criteria will match all packets leading to unexpected results. Affected releases are Juniper Networks Junos OS: All versions prior to and including 12.3; 14.1X53 versions prior to 14.1X53-D130, 14.1X53-D49; 15.1 versions prior to 15.1F6-S12, 15.1R7-S4; 15.1X49 versions prior to 15.1X49-D161, 15.1X49-D170; 15.1X53 versions prior to 15.1X53-D236, 15.1X53-D496, 15.1X53-D69; 16.1 versions prior to 16.1R7-S4, 16.1R7-S5; 16.2 versions prior to 16.2R2-S9; 17.1 versions prior to 17.1R3; 17.2 versions prior to 17.2R1-S8, 17.2R3-S1; 17.3 versions prior to 17.3R3-S4; 17.4 versions prior to 17.4R1-S7, 17.4R2-S3; 18.1 versions prior to 18.1R2-S4, 18.1R3-S4; 18.2 versions prior to 18.2R1-S5, 18.2R2-S1; 18.2X75 versions prior to 18.2X75-D40; 18.3 versions prior to 18.3R1-S3; 18.4 versions prior to 18.4R1-S1, 18.4R1-S2.
CVSS Score
7.2
EPSS Score
0.003
Published
2019-04-10
In a Dynamic Host Configuration Protocol version 6 (DHCPv6) environment, the jdhcpd daemon may crash and restart upon receipt of certain DHCPv6 solicit messages received from a DHCPv6 client. By continuously sending the same crafted packet, an attacker can repeatedly crash the jdhcpd process causing a sustained Denial of Service (DoS) to both IPv4 and IPv6 clients. Affected releases are Juniper Networks Junos OS: 15.1 versions prior to 15.1F6-S12, 15.1R7-S3; 15.1X49 versions prior to 15.1X49-D171, 15.1X49-D180; 15.1X53 versions prior to 15.1X53-D236, 15.1X53-D496; 16.1 versions prior to 16.1R3-S10, 16.1R7-S4; 16.2 versions prior to 16.2R2-S8; 17.1 versions prior to 17.1R2-S10, 17.1R3; 17.2 versions prior to 17.2R1-S8, 17.2R3-S1; 17.3 versions prior to 17.3R3-S3; 17.4 versions prior to 17.4R1-S6, 17.4R2-S3; 18.1 versions prior to 18.1R2-S4, 18.1R3-S2; 18.2 versions prior to 18.2R2; 18.2X75 versions prior to 18.2X75-D30; 18.3 versions prior to 18.3R1-S2. This issue does not affect Junos OS releases prior to 15.1.
CVSS Score
7.4
EPSS Score
0.002
Published
2019-04-10
Crafted packets destined to the management interface (fxp0) of an SRX340 or SRX345 services gateway may create a denial of service (DoS) condition due to buffer space exhaustion. This issue only affects the SRX340 and SRX345 services gateways. No other products or platforms are affected by this vulnerability. Affected releases are Juniper Networks Junos OS: 15.1X49 versions prior to 15.1X49-D160 on SRX340/SRX345; 17.3 on SRX340/SRX345; 17.4 versions prior to 17.4R2-S3, 17.4R3 on SRX340/SRX345; 18.1 versions prior to 18.1R3-S1 on SRX340/SRX345; 18.2 versions prior to 18.2R2 on SRX340/SRX345; 18.3 versions prior to 18.3R1-S2, 18.3R2 on SRX340/SRX345. This issue does not affect Junos OS releases prior to 15.1X49 on any platform.
CVSS Score
6.5
EPSS Score
0.001
Published
2019-04-10
If REST API is enabled, the Junos OS login credentials are vulnerable to brute force attacks. The high default connection limit of the REST API may allow an attacker to brute-force passwords using advanced scripting techniques. Additionally, administrators who do not enforce a strong password policy can increase the likelihood of success from brute force attacks. Affected releases are Juniper Networks Junos OS: 14.1X53 versions prior to 14.1X53-D49; 15.1 versions prior to 15.1F6-S12, 15.1R7-S3; 15.1X49 versions prior to 15.1X49-D160; 15.1X53 versions prior to 15.1X53-D236, 15.1X53-D495, 15.1X53-D591, 15.1X53-D69; 16.1 versions prior to 16.1R3-S10, 16.1R4-S12, 16.1R6-S6, 16.1R7-S3; 16.1X65 versions prior to 16.1X65-D49; 16.2 versions prior to 16.2R2-S7; 17.1 versions prior to 17.1R2-S10, 17.1R3; 17.2 versions prior to 17.2R1-S8, 17.2R3-S1; 17.3 versions prior to 17.3R3-S2; 17.4 versions prior to 17.4R1-S6, 17.4R2-S2; 18.1 versions prior to 18.1R2-S4, 18.1R3-S1; 18.2 versions prior to 18.2R1-S5; 18.2X75 versions prior to 18.2X75-D30; 18.3 versions prior to 18.3R1-S1.
CVSS Score
5.3
EPSS Score
0.003
Published
2019-04-10