CVE-2022-22174

Name of the Vulnerable Software and Affected Versions Juniper Networks Junos OS on QFX5000 Series and EX4600 versions prior to 18.3R3-S6 Juniper Networks Junos OS on QFX5000 Series and EX4600 versions prior to 18.4R2-S9 Juniper Networks Junos OS on QFX5000 Series and EX4600 versions prior to 18.4R3-S9 Juniper Networks Junos OS on QFX5000 Series and EX4600 versions prior to 19.1R2-S3 Juniper Networks Junos OS on QFX5000 Series and EX4600 versions prior to 19.1R3-S7 Juniper Networks Junos OS on QFX5000 Series and EX4600 versions prior to 19.2R1-S8 Juniper Networks Junos OS on QFX5000 Series and EX4600 versions prior to 19.2R3-S3 Juniper Networks Junos OS on QFX5000 Series and EX4600 versions prior to 19.3R2-S7 Juniper Networks Junos OS on QFX5000 Series and EX4600 versions prior to 19.3R3-S4 Juniper Networks Junos OS on QFX5000 Series and EX4600 versions prior to 19.4R2-S5 Juniper Networks Junos OS on QFX5000 Series and EX4600 versions prior to 19.4R3-S6 Juniper Networks Junos OS on QFX5000 Series and EX4600 versions prior to 20.1R3-S1 Juniper Networks Junos OS on QFX5000 Series and EX4600 versions prior to 20.2R3-S2 Juniper Networks Junos OS on QFX5000 Series and EX4600 versions prior to 20.3R3-S1 Juniper Networks Junos OS on QFX5000 Series and EX4600 versions prior to 20.4R3 Juniper Networks Junos OS on QFX5000 Series and EX4600 versions prior to 21.1R2-S1 Juniper Networks Junos OS on QFX5000 Series and EX4600 versions prior to 21.1R3 Juniper Networks Junos OS on QFX5000 Series and EX4600 versions prior to 21.2R1-S1 Juniper Networks Junos OS on QFX5000 Series and EX4600 versions prior to 21.2R2

Description A vulnerability in the processing of inbound IPv6 packets in Juniper Networks Junos OS on QFX5000 Series and EX4600 switches may cause the memory to not be freed, leading to a packet DMA memory leak, and eventual Denial of Service (DoS) condition. Once the condition occurs, further packet processing will be impacted, creating a sustained Denial of Service (DoS) condition. The following error logs may be observed using the "show heap" command and the device may eventually run out of memory if such packets are received continuously.

Recommendations As a temporary workaround, consider restricting the receipt of IPv6 packets to minimize the risk of exploitation. For versions prior to 18.3R3-S6, update to 18.3R3-S6 or later. For versions prior to 18.4R2-S9, update to 18.4R2-S9 or later. For versions prior to 18.4R3-S9, update to 18.4R3-S9 or later. For versions prior to 19.1R2-S3, update to 19.1R2-S3 or later. For versions prior to 19.1R3-S7, update to 19.1R3-S7 or later. For versions prior to 19.2R1-S8, update to 19.2R1-S8 or later. For versions prior to 19.2R3-S3, update to 19.2R3-S3 or later. For versions prior to 19.3R2-S7, update to 19.3R2-S7 or later. For versions prior to 19.3R3-S4, update to 19.3R3-S4 or later. For versions prior to 19.4R2-S5, update to 19.4R2-S5 or later. For versions prior to 19.4R3-S6, update to 19.4R3-S6 or later. For versions prior to 20.1R3-S1, update to 20.1R3-S1 or later. For versions prior to 20.2R3-S2, update to 20.2R3-S2 or later. For versions prior to 20.3R3-S1, update to 20.3R3-S1 or later. For versions prior to 20.4R3, update to 20.4R3 or later. For versions prior to 21.1R2-S1, update to 21.1R2-S1 or later. For versions prior to 21.1R3, update to 21.1R3 or later. For versions prior to 21.2R1-S1, update to 21.2R1-S1 or later. For versions prior to 21.2R2, update to 21.2R2 or later.