CVE-2020-1679

Name of the Vulnerable Software and Affected Versions Juniper Networks Junos OS on PTX/QFX Series versions prior to 17.2X75-D105 Juniper Networks Junos OS on PTX/QFX Series versions prior to 18.1R3-S11 Juniper Networks Junos OS on PTX/QFX Series versions prior to 18.2R3-S5 Juniper Networks Junos OS on PTX/QFX Series versions prior to 18.2X75-D420 Juniper Networks Junos OS on PTX/QFX Series versions prior to 18.2X75-D53 Juniper Networks Junos OS on PTX/QFX Series versions prior to 18.2X75-D65 Juniper Networks Junos OS on PTX/QFX Series versions prior to 18.3R2-S4 Juniper Networks Junos OS on PTX/QFX Series versions prior to 18.3R3-S3 Juniper Networks Junos OS on PTX/QFX Series versions prior to 18.4R1-S7 Juniper Networks Junos OS on PTX/QFX Series versions prior to 18.4R2-S5 Juniper Networks Junos OS on PTX/QFX Series versions prior to 18.4R3-S4 Juniper Networks Junos OS on PTX/QFX Series versions prior to 19.1R2-S2 Juniper Networks Junos OS on PTX/QFX Series versions prior to 19.1R3-S2 Juniper Networks Junos OS on PTX/QFX Series versions prior to 19.2R1-S5 Juniper Networks Junos OS on PTX/QFX Series versions prior to 19.2R3 Juniper Networks Junos OS on PTX/QFX Series versions prior to 19.3R2-S3 Juniper Networks Junos OS on PTX/QFX Series versions prior to 19.3R3 Juniper Networks Junos OS on PTX/QFX Series versions prior to 19.4R1-S2 Juniper Networks Junos OS on PTX/QFX Series versions prior to 19.4R2-S1 Juniper Networks Junos OS on PTX/QFX Series versions prior to 19.4R3 Juniper Networks Junos OS on PTX/QFX Series versions prior to 20.1R1-S2 Juniper Networks Junos OS on PTX/QFX Series versions prior to 20.1R2

Description The issue exists due to insufficient input validation in the Kernel Routing Table (KRT) module of the Junos OS. When packet sampling is configured using tunnel-observation mpls-over-udp and a malformed packet is sampled, the KRT queue can become stuck. This can lead to unexpected packet forwarding issues. An administrator can monitor the KRT queue using the command show krt state to check for increasing async queue entries. Error messages may appear in the /var/log/messages, indicating issues with delayed route/nexthop unrefs and memory usage.

Recommendations For versions prior to 17.2X75-D105, update to 17.2X75-D105 or later. For versions prior to 18.1R3-S11, update to 18.1R3-S11 or later. For versions prior to 18.2R3-S5, update to 18.2R3-S5 or later. For versions prior to 18.2X75-D420, update to 18.2X75-D420 or later. For versions prior to 18.2X75-D53, update to 18.2X75-D53 or later. For versions prior to 18.2X75-D65, update to 18.2X75-D65 or later. For versions prior to 18.3R2-S4, update to 18.3R2-S4 or later. For versions prior to 18.3R3-S3, update to 18.3R3-S3 or later. For versions prior to 18.4R1-S7, update to 18.4R1-S7 or later. For versions prior to 18.4R2-S5, update to 18.4R2-S5 or later. For versions prior to 18.4R3-S4, update to 18.4R3-S4 or later. For versions prior to 19.1R2-S2, update to 19.1R2-S2 or later. For versions prior to 19.1R3-S2, update to 19.1R3-S2 or later. For versions prior to 19.2R1-S5, update to 19.2R1-S5 or later. For versions prior to 19.2R3, update to 19.2R3 or later. For versions prior to 19.3R2-S3, update to 19.3R2-S3 or later. For versions prior to 19.3R3, update to 19.3R3 or later. For versions prior to 19.4R1-S2, update to 19.4R1-S2 or later. For versions prior to 19.4R2-S1, update to 19.4R2-S1 or later. For versions prior to 19.4R3, update to 19.4R3 or later. For versions prior to 20.1R1-S2, update to 20.1R1-S2 or later. For versions prior to 20.1R2, update to 20.1R2 or later.