CVE-2021-0207

Name of the Vulnerable Software and Affected Versions Juniper Networks Junos OS versions prior to 17.3R3-S7 on NFX250, QFX5K Series, EX4600 Juniper Networks Junos OS versions prior to 17.4R2-S11, 17.4R3-S3 on NFX250, QFX5K Series, EX4600 Juniper Networks Junos OS versions prior to 18.1R3-S9 on NFX250, QFX5K Series, EX2300 Series, EX3400 Series, EX4600 Juniper Networks Junos OS versions prior to 18.2R3-S3 on NFX250, QFX5K Series, EX2300 Series, EX3400 Series, EX4300 Multigigabit, EX4600 Juniper Networks Junos OS versions prior to 18.3R3-S1 on NFX250, QFX5K Series, EX2300 Series, EX3400 Series, EX4300 Multigigabit, EX4600 Series Juniper Networks Junos OS versions prior to 18.4R1-S5, 18.4R2-S3, 18.4R3 on NFX250, QFX5K Series, EX2300 Series, EX3400 Series, EX4300 Multigigabit, EX4600 Series Juniper Networks Junos OS versions prior to 19.1R1-S5, 19.1R2-S1, 19.1R3 on NFX250, QFX5K Series, EX2300 Series, EX3400 Series, EX4300 Multigigabit, EX4600 Series Juniper Networks Junos OS versions prior to 19.2R1-S5, 19.2R2 on NFX250, QFX5K Series, EX2300 Series, EX3400 Series, EX4300 Multigigabit, EX4600 Series Juniper Networks Junos OS versions prior to 19.3R2-S3, 19.3R3 on NFX250, QFX5K Series, EX2300 Series, EX3400 Series, EX4300 Multigigabit, EX4600 Series Juniper Networks Junos OS versions prior to 19.4R1-S2, 19.4R2 on NFX250, NFX350, QFX5K Series, EX2300 Series, EX3400 Series, EX4300 Multigigabit, EX4600 Series

Description The issue is caused by an improper interpretation conflict of certain data between software components within the Juniper Networks Junos OS devices. This conflict does not allow certain traffic to pass through the device upon receipt from an ingress interface filtering specific types of traffic, which is then being redirected to an egress interface on a different VLAN. This causes a Denial of Service (DoS) to those clients sending these particular types of traffic. The traffic being sent by a client may appear genuine but is non-standard in nature and should be considered as potentially malicious. The issue affects IPv4 and IPv6 traffic. An indicator of compromise may be found by checking log files, where traffic on the input interface has 100% of traffic flowing into the device, yet the egress interface shows 0 pps leaving the device.

Recommendations For Juniper Networks Junos OS versions prior to 17.3R3-S7, update to version 17.3R3-S7 or later. For Juniper Networks Junos OS versions prior to 17.4R2-S11, 17.4R3-S3, update to version 17.4R2-S11, 17.4R3-S3 or later. For Juniper Networks Junos OS versions prior to 18.1R3-S9, update to version 18.1R3-S9 or later. For Juniper Networks Junos OS versions prior to 18.2R3-S3, update to version 18.2R3-S3 or later. For Juniper Networks Junos OS versions prior to 18.3R3-S1, update to version 18.3R3-S1 or later. For Juniper Networks Junos OS versions prior to 18.4R1-S5, 18.4R2-S3, 18.4R3, update to version 18.4R1-S5, 18.4R2-S3, 18.4R3 or later. For Juniper Networks Junos OS versions prior to 19.1R1-S5, 19.1R2-S1, 19.1R3, update to version 19.1R1-S5, 19.1R2-S1, 19.1R3 or later. For Juniper Networks Junos OS versions prior to 19.2R1-S5, 19.2R2, update to version 19.2R1-S5, 19.2R2 or later. For Juniper Networks Junos OS versions prior to 19.3R2-S3, 19.3R3, update to version 19.3R2-S3, 19.3R3 or later. For Juniper Networks Junos OS versions prior to 19.4R1-S2, 19.4R2, update to version 19.4R1-S2, 19.4R2 or later.