CVE-2022-22157

Name of the Vulnerable Software and Affected Versions Juniper Networks Junos OS on SRX Series versions 18.4 through 18.4R2-S8 Juniper Networks Junos OS on SRX Series versions 18.4R3 through 18.4R3-S8 Juniper Networks Junos OS on SRX Series versions 19.1 through 19.1R2-S2 Juniper Networks Junos OS on SRX Series versions 19.1R3 through 19.1R3-S5 Juniper Networks Junos OS on SRX Series versions 19.2 through 19.2R1-S6 Juniper Networks Junos OS on SRX Series versions 19.2R3 through 19.2R3-S2 Juniper Networks Junos OS on SRX Series versions 19.3 through 19.3R2-S5 Juniper Networks Junos OS on SRX Series versions 19.3R3 through 19.3R3-S1 Juniper Networks Junos OS on SRX Series versions 19.4 through 19.4R2-S4 Juniper Networks Junos OS on SRX Series versions 19.4R3 through 19.4R3-S2 Juniper Networks Junos OS on SRX Series versions 20.1 through 20.1R2-S1 Juniper Networks Junos OS on SRX Series versions 20.1R3 Juniper Networks Junos OS on SRX Series versions 20.2 through 20.2R3 Juniper Networks Junos OS on SRX Series versions 20.3 through 20.3R2 Juniper Networks Junos OS on SRX Series versions 20.4 through 20.4R1 Juniper Networks Junos OS on SRX Series versions 20.4R2 through 20.4R2 Juniper Networks Junos OS on SRX Series versions 20.4R3 Juniper Networks Junos OS on SRX Series versions 21.1 through 21.1R

Description A traffic classification issue in Juniper Networks Junos OS on the SRX Series Services Gateways may allow an attacker to bypass Juniper Deep Packet Inspection (JDPI) rules and access unauthorized networks or resources when 'no-syn-check' is enabled on the device. JDPI incorrectly classifies out-of-state asymmetric TCP flows as the dynamic-application INCONCLUSIVE instead of UNKNOWN, causing the firewall to allow traffic to be forwarded that should have been denied.

Recommendations For versions 18.4 through 18.4R2-S8, update to 18.4R2-S9 or later. For versions 18.4R3 through 18.4R3-S8, update to 18.4R3-S9 or later. For versions 19.1 through 19.1R2-S2, update to 19.1R2-S3 or later. For versions 19.1R3 through 19.1R3-S5, update to 19.1R3-S6 or later. For versions 19.2 through 19.2R1-S6, update to 19.2R1-S7 or later. For versions 19.2R3 through 19.2R3-S2, update to 19.2R3-S3 or later. For versions 19.3 through 19.3R2-S5, update to 19.3R2-S6 or later. For versions 19.3R3 through 19.3R3-S1, update to 19.3R3-S2 or later. For versions 19.4 through 19.4R2-S4, update to 19.4R2-S5 or later. For versions 19.4R3 through 19.4R3-S2, update to 19.4R3-S3 or later. For versions 20.1 through 20.1R2-S1, update to 20.1R2-S2 or later. For version 20.1R3, update to 20.1R3 or later. For versions 20.2 through 20.2R3, update to 20.2R3-S1 or later. For versions 20.3 through 20.3R2, update to 20.3R3 or later. For versions 20.4 through 20.4R1, update to 20.4R2-S1 or later. For versions 20.4R2 through 20.4R2, update to 20.4R2-S1 or later. For version 20.4R3, update to 20.4R3 or later. For versions 21.1 through 21.1R, update to 21.1R1-S1 or later. As a temporary workaround, consider disabling the 'no-syn-check' option until a patch is available.