CVE-2022-22205

Name of the Vulnerable Software and Affected Versions Juniper Networks Junos OS on SRX Series versions 20.3 through 20.3R3-S2 Juniper Networks Junos OS on SRX Series versions 20.4 through 20.4R3-S2 Juniper Networks Junos OS on SRX Series versions 21.1 through 21.1R3 Juniper Networks Junos OS on SRX Series versions 21.2 through 21.2R2-S1, 21.2R3 Juniper Networks Junos OS on SRX Series versions 21.3 through 21.3R1-S2, 21.3R2

Description A Missing Release of Memory after Effective Lifetime issue in the Application Quality of Experience (appqoe) subsystem of the Packet Forwarding Engine (PFE) allows an unauthenticated network-based attacker to cause a Denial of Service (DoS). Upon receiving specific traffic, a memory leak will occur. Sustained processing of such specific traffic will eventually lead to an out-of-memory condition that prevents all services from continuing to function and requires a manual restart to recover. This issue only affects devices when advanced policy-based routing (APBR) is configured and AppQoE (sla rule) is not configured for these APBR rules.

Recommendations For versions 20.3 through 20.3R3-S2, update to version 20.3R3-S2 or later. For versions 20.4 through 20.4R3-S2, update to version 20.4R3-S2 or later. For versions 21.1 through 21.1R3, update to version 21.1R3 or later. For versions 21.2 through 21.2R2-S1, 21.2R3, update to a version later than 21.2R2-S1 and 21.2R3. For versions 21.3 through 21.3R1-S2, 21.3R2, update to a version later than 21.3R1-S2 and 21.3R2. As a temporary workaround, consider disabling the advanced policy-based routing (APBR) until a patch is available. Restrict access to the AppQoE subsystem to minimize the risk of exploitation. Avoid using the AppQoE (sla rule) in the affected APBR rules until the issue is resolved.