CVE-2020-1685

Name of the Vulnerable Software and Affected Versions Juniper Networks Junos OS on QFX5K Series versions prior to 18.1R3-S7 Juniper Networks Junos OS on QFX5K Series versions prior to 18.2R2-S7 Juniper Networks Junos OS on QFX5K Series versions prior to 18.3R1-S5 Juniper Networks Junos OS on QFX5K Series versions prior to 18.4R1-S7 Juniper Networks Junos OS on QFX5K Series versions prior to 19.1R1-S5 Juniper Networks Junos OS on QFX5K Series versions prior to 19.2R1-S5

Description The issue arises when configuring stateless firewall filters in Juniper Networks EX4600 and QFX 5000 Series devices using Virtual Extensible LAN protocol (VXLAN). Under certain conditions, the discard action will fail to discard traffic. This occurs when there is only one term containing a user-vlan-id match condition, and no other terms in the firewall filter except discard. As a result, the discard action for non-matching traffic will only discard traffic with the same VLAN ID specified under user-vlan-id. Other traffic will not be discarded, leading to unintended traffic passing through the interface where the firewall filter is applied. This issue only affects systems using VXLANs.

Recommendations For Juniper Networks Junos OS on QFX5K Series versions prior to 18.1R3-S7, update to version 18.1R3-S7 or later. For Juniper Networks Junos OS on QFX5K Series versions prior to 18.2R2-S7, update to version 18.2R2-S7 or later. For Juniper Networks Junos OS on QFX5K Series versions prior to 18.3R1-S5, update to version 18.3R1-S5 or later. For Juniper Networks Junos OS on QFX5K Series versions prior to 18.4R1-S7, update to version 18.4R1-S7 or later. For Juniper Networks Junos OS on QFX5K Series versions prior to 19.1R1-S5, update to version 19.1R1-S5 or later. For Juniper Networks Junos OS on QFX5K Series versions prior to 19.2R1-S5, update to version 19.2R1-S5 or later.