CVE-2022-22191

Name of the Vulnerable Software and Affected Versions Juniper Networks Junos OS on the EX4300 versions prior to 15.1R7-S12 Juniper Networks Junos OS on the EX4300 version 18.4 versions prior to 18.4R2-S10, 18.4R3-S11 Juniper Networks Junos OS on the EX4300 version 19.1 versions prior to 19.1R3-S8 Juniper Networks Junos OS on the EX4300 version 19.2 versions prior to 19.2R1-S9, 19.2R3-S4 Juniper Networks Junos OS on the EX4300 version 19.3 versions prior to 19.3R3-S5 Juniper Networks Junos OS on the EX4300 version 19.4 versions prior to 19.4R2-S6, 19.4R3-S7 Juniper Networks Junos OS on the EX4300 version 20.1 versions prior to 20.1R3-S3 Juniper Networks Junos OS on the EX4300 version 20.2 versions prior to 20.2R3-S3 Juniper Networks Junos OS on the EX4300 version 20.3 versions prior to 20.3R3-S2 Juniper Networks Junos OS on the EX4300 version 20.4 versions prior to 20.4R3-S1 Juniper Networks Junos OS on the EX4300 version 21.1 versions prior to 21.1R3 Juniper Networks Junos OS on the EX4300 version 21.2 versions prior to 21.2R2-S1, 21.2R3 Juniper Networks Junos OS on the EX4300 version 21.3 versions prior to 21.3R1-S2, 21.3R2

Description A Denial of Service (DoS) issue in the processing of a flood of specific ARP traffic in Juniper Networks Junos OS on the EX4300 switch may allow an unauthenticated network-adjacent attacker to trigger a PFEMAN watchdog timeout, causing the Packet Forwarding Engine (PFE) to crash and restart. After the restart, transit traffic will be temporarily interrupted until the PFE is reprogrammed. In a virtual chassis (VC), the impacted Flexible PIC Concentrator (FPC) may split from the VC temporarily, and join back into the VC once the PFE restarts. Continued receipt and processing of these packets will create a sustained Denial of Service (DoS) condition.

Recommendations Update to a version of Juniper Networks Junos OS on the EX4300 that is not affected by this issue, such as version 15.1R7-S12 or later, 18.4R2-S10 or later, 18.4R3-S11 or later, 19.1R3-S8 or later, 19.2R1-S9 or later, 19.2R3-S4 or later, 19.3R3-S5 or later, 19.4R2-S6 or later, 19.4R3-S7 or later, 20.1R3-S3 or later, 20.2R3-S3 or later, 20.3R3-S2 or later, 20.4R3-S1 or later, 21.1R3 or later, 21.2R2-S1 or later, 21.2R3 or later, 21.3R1-S2 or later, 21.3R2 or later. As a temporary workaround, consider restricting access to the local broadcast domain to minimize the risk of exploitation. Restrict access to the vulnerable PFEMAN module to minimize the risk of exploitation. Avoid using the ARP protocol in the affected API endpoint until the issue is resolved.