CVE-2022-22167

Name of the Vulnerable Software and Affected Versions Juniper Networks Junos OS on SRX Series versions 18.4 through 18.4R2-S9 Juniper Networks Junos OS on SRX Series versions 18.4R3 through 18.4R3-S9 Juniper Networks Junos OS on SRX Series versions 19.1 through 19.1R3-S7 Juniper Networks Junos OS on SRX Series versions 19.2 through 19.2R1-S7 Juniper Networks Junos OS on SRX Series versions 19.2R3 through 19.2R3-S3 Juniper Networks Junos OS on SRX Series versions 19.3 through 19.3R3-S2 Juniper Networks Junos OS on SRX Series versions 19.4 through 19.4R3-S4 Juniper Networks Junos OS on SRX Series versions 20.1 through 20.1R3-S0 Juniper Networks Junos OS on SRX Series versions 20.2 through 20.2R3-S1 Juniper Networks Junos OS on SRX Series versions 20.3 through 20.3R3-S0 Juniper Networks Junos OS on SRX Series versions 20.4 through 20.4R2-S1 Juniper Networks Junos OS on SRX Series versions 20.4R3 through 20.4R3 Juniper Networks Junos OS on SRX Series versions 21.1 through 21.1R2-S1 Juniper Networks Junos OS on SRX Series versions 21.1R3 through 21.1R3 Juniper Networks Junos OS on SRX Series versions 21.2 through 21.2R2

Description A traffic classification issue in Juniper Networks Junos OS on the SRX Series Services Gateways may allow an attacker to bypass Juniper Deep Packet Inspection (JDPI) rules and access unauthorized networks or resources when 'no-syn-check' is enabled on the device. The issue occurs because the classification of out-of-state asymmetric TCP flows as the dynamic-application UNKNOWN is not provided to the policy module properly, causing the firewall to allow traffic to be forwarded that should have been denied.

Recommendations For versions 18.4 through 18.4R2-S9, update to 18.4R2-S10 or later. For versions 18.4R3 through 18.4R3-S9, update to 18.4R3-S10 or later. For versions 19.1 through 19.1R3-S7, update to 19.1R3-S8 or later. For versions 19.2 through 19.2R1-S7, update to 19.2R1-S8 or later. For versions 19.2R3 through 19.2R3-S3, update to 19.2R3-S4 or later. For versions 19.3 through 19.3R3-S2, update to 19.3R3-S3 or later. For versions 19.4 through 19.4R3-S4, update to 19.4R3-S5 or later. For versions 20.1 through 20.1R3-S0, update to 20.1R3-S1 or later. For versions 20.2 through 20.2R3-S1, update to 20.2R3-S2 or later. For versions 20.3 through 20.3R3-S0, update to 20.3R3-S1 or later. For versions 20.4 through 20.4R2-S1, update to 20.4R2-S2 or later. For versions 20.4R3 through 20.4R3, update to 20.4R3 or later. For versions 21.1 through 21.1R2-S1, update to 21.1R2-S2 or later. For versions 21.1R3 through 21.1R3, update to 21.1R3 or later. For versions 21.2 through 21.2R2, update to 21.2R2 or later. As a temporary workaround, consider disabling the 'set security flow tcp-session no-syn-check' configuration on the device until a patch is available.