CVE-2023-22405

Name of the Vulnerable Software and Affected Versions Juniper Networks Junos OS versions prior to 20.2R3-S5 Juniper Networks Junos OS versions 20.3 prior to 20.3R3-S5 Juniper Networks Junos OS versions 20.4 prior to 20.4R3-S4 Juniper Networks Junos OS versions 21.1 prior to 21.1R3-S3 Juniper Networks Junos OS versions 21.2 prior to 21.2R3-S1 Juniper Networks Junos OS versions 21.3 prior to 21.3R3 Juniper Networks Junos OS versions 21.4 prior to 21.4R3 Juniper Networks Junos OS versions 22.1 prior to 22.1R2

Description The issue is related to an Improper Preservation of Consistency Between Independent Representations of Shared State vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS. This vulnerability allows an adjacent, unauthenticated attacker to cause a Denial of Service (DoS) to the device due to out of resources. The vulnerability is triggered when a device is configured with "service-provider/SP style" switching and mac-limiting is configured on an Aggregated Ethernet (ae) interface, and then a PFE is restarted or the device is rebooted. Although traffic will continue to flow through the device, the mac table and respective logs will indicate that the mac limit is reached.

Recommendations For Juniper Networks Junos OS versions prior to 20.2R3-S5, update to version 20.2R3-S5 or later. For Juniper Networks Junos OS versions 20.3 prior to 20.3R3-S5, update to version 20.3R3-S5 or later. For Juniper Networks Junos OS versions 20.4 prior to 20.4R3-S4, update to version 20.4R3-S4 or later. For Juniper Networks Junos OS versions 21.1 prior to 21.1R3-S3, update to version 21.1R3-S3 or later. For Juniper Networks Junos OS versions 21.2 prior to 21.2R3-S1, update to version 21.2R3-S1 or later. For Juniper Networks Junos OS versions 21.3 prior to 21.3R3, update to version 21.3R3 or later. For Juniper Networks Junos OS versions 21.4 prior to 21.4R3, update to version 21.4R3 or later. For Juniper Networks Junos OS versions 22.1 prior to 22.1R2, update to version 22.1R2 or later. As a temporary workaround, consider removing and re-adding the MAC limit configuration to restore functionality.