CVE-2023-28968

Name of the Vulnerable Software and Affected Versions Junos OS versions prior to 19.1R3-S10 Junos OS versions 19.2 prior to 19.2R3-S7 Junos OS versions 19.3 prior to 19.3R3-S8 Junos OS versions 19.4 prior to 19.4R3-S11 Junos OS version 20.1R1 and later versions prior to 20.2R3-S7 Junos OS version 20.3R1 and later versions prior to 20.4R3-S6 Junos OS versions 21.1 prior to 21.1R3-S5 Junos OS versions 21.2 prior to 21.2R3-S4 Junos OS versions 21.3 prior to 21.3R3-S3 Junos OS versions 21.4 prior to 21.4R3-S3 Junos OS versions 22.1 prior to 22.1R3-S1 Junos OS versions 22.2 prior to 22.2R2-S1, 22.2R3 Junos OS versions 22.3 prior to 22.3R1-S2, 22.3R2 JDPI-Decoder Engine versions prior to 5.7.0-47 AppID SigPack versions prior to 1.550.2-31

Description An Improperly Controlled Sequential Memory Allocation issue in the Juniper Networks Deep Packet Inspection-Decoder (JDPI-Decoder) Application Signature component of Junos OS's AppID service on SRX Series devices will stop the JDPI-Decoder from identifying dynamic application traffic. This allows an unauthenticated network-based attacker to send traffic to the target device using the JDPI-Decoder, which is designed to inspect dynamic application traffic and take action upon this traffic, to instead begin to not take action and to pass the traffic through.

Recommendations To address this issue, upgrade the JDPI-Decoder Engine to version 5.7.0-47 or later. Upgrade the AppID SigPack to version 1.550.2-31 or later. Upgrade Junos OS to the following versions or later: 19.1R3-S10, 19.2R3-S7, 19.3R3-S8, 19.4R3-S11, 20.2R3-S7, 20.4R3-S6, 21.1R3-S5, 21.2R3-S4, 21.3R3-S3, 21.4R3-S3, 22.1R3-S1, 22.2R2-S1, 22.2R3, 22.3R1-S2, 22.3R2. As a temporary workaround, consider disabling the JDPI-Decoder until a patch is available. Restrict access to the vulnerable AppID SigPack to minimize the risk of exploitation.