CVE-2023-28961

Name of the Vulnerable Software and Affected Versions Juniper Networks Junos OS on ACX Series versions prior to 20.2R3-S7 Juniper Networks Junos OS on ACX Series version 20.4 versions prior to 20.4R3-S4 Juniper Networks Junos OS on ACX Series version 21.1 versions prior to 21.1R3-S3 Juniper Networks Junos OS on ACX Series version 21.2 versions prior to 21.2R3-S4 Juniper Networks Junos OS on ACX Series version 21.3 versions prior to 21.3R3 Juniper Networks Junos OS on ACX Series version 21.4 versions prior to 21.4R3 Juniper Networks Junos OS on ACX Series version 22.1 versions prior to 22.1R2

Description An issue in IPv6 firewall filter processing will prevent a firewall filter with the term 'from next-header ah' from being properly installed in the packet forwarding engine, allowing an attacker to send valid packets to or through the device that were explicitly intended to be dropped. Indications of the issue can be identified with specific logs, including fpc0 ACX DFW CFG FAILED errors.

Recommendations For versions prior to 20.2R3-S7, update to version 20.2R3-S7 or later. For version 20.4, update to version 20.4R3-S4 or later. For version 21.1, update to version 21.1R3-S3 or later. For version 21.2, update to version 21.2R3-S4 or later. For version 21.3, update to version 21.3R3 or later. For version 21.4, update to version 21.4R3 or later. For version 22.1, update to version 22.1R2 or later.