CVE-2023-22395

Name of the Vulnerable Software and Affected Versions Junos OS versions prior to 19.3R3-S7 Junos OS 19.4 versions prior to 19.4R3-S9 Junos OS 20.1 version 20.1R1 and later versions Junos OS 20.2 versions prior to 20.2R3-S5 Junos OS 20.3 versions prior to 20.3R3-S5 Junos OS 20.4 versions prior to 20.4R3-S4 Junos OS 21.1 versions prior to 21.1R3-S3 Junos OS 21.2 versions prior to 21.2R3-S2 Junos OS 21.3 versions prior to 21.3R3-S1 Junos OS 21.4 versions prior to 21.4R3 Junos OS 22.1 versions prior to 22.1R2

Description The issue is related to a Missing Release of Memory after Effective Lifetime vulnerability in the kernel of Juniper Networks Junos OS. This vulnerability allows an unauthenticated, adjacent attacker to cause a Denial of Service (DoS) by sending specific packets to an Integrated Routing and Bridging (irb) interface of the device, resulting in a buffer (mbuf) leak. Continued receipt of these packets will cause a loss of connectivity to and from the device, requiring a reboot to recover. The show system buffers CLI command can be used to monitor mbuf usage.

Recommendations For Junos OS versions prior to 19.3R3-S7, update to version 19.3R3-S7 or later. For Junos OS 19.4 versions prior to 19.4R3-S9, update to version 19.4R3-S9 or later. For Junos OS 20.1 version 20.1R1 and later versions, update to a version that includes the fix for this issue. For Junos OS 20.2 versions prior to 20.2R3-S5, update to version 20.2R3-S5 or later. For Junos OS 20.3 versions prior to 20.3R3-S5, update to version 20.3R3-S5 or later. For Junos OS 20.4 versions prior to 20.4R3-S4, update to version 20.4R3-S4 or later. For Junos OS 21.1 versions prior to 21.1R3-S3, update to version 21.1R3-S3 or later. For Junos OS 21.2 versions prior to 21.2R3-S2, update to version 21.2R3-S2 or later. For Junos OS 21.3 versions prior to 21.3R3-S1, update to version 21.3R3-S1 or later. For Junos OS 21.4 versions prior to 21.4R3, update to version 21.4R3 or later. For Junos OS 22.1 versions prior to 22.1R2, update to version 22.1R2 or later. As a temporary workaround, consider monitoring mbuf usage using the show system buffers CLI command to detect potential issues.