PT-2024-2966 · Juniper Networks · Junos+1

Published

2024-04-10

Updated

2024-05-16

CVE-2024-30386

CVSS v4.0

7.1

High

Vector

AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Name of the Vulnerable Software and Affected Versions Junos OS versions prior to 20.4R3-S8 Junos OS versions 21.2 prior to 21.2R3-S6 Junos OS versions 21.3 prior to 21.3R3-S5 Junos OS versions 21.4 prior to 21.4R3-S4 Junos OS versions 22.1 prior to 22.1R3-S3 Junos OS versions 22.2 prior to 22.2R3-S1 Junos OS versions 22.3 prior to 22.3R3 Junos OS versions 22.4 prior to 22.4R2 Junos OS Evolved versions prior to 20.4R3-S8-EVO Junos OS Evolved versions 21.2-EVO prior to 21.2R3-S6-EVO Junos OS Evolved versions 21.3-EVO prior to 21.3R3-S5-EVO Junos OS Evolved versions 21.4-EVO prior to 21.4R3-S4-EVO Junos OS Evolved versions 22.1-EVO prior to 22.1R3-S3-EVO Junos OS Evolved versions 22.2-EVO prior to 22.2R3-S1-EVO Junos OS Evolved versions 22.3-EVO prior to 22.3R3-EVO Junos OS Evolved versions 22.4-EVO prior to 22.4R2-EVO

Description A Use-After-Free vulnerability in the Layer 2 Address Learning Daemon (l2ald) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, adjacent attacker to cause l2ald to crash leading to a Denial-of-Service (DoS). In an EVPN-VXLAN scenario, when state updates are received and processed by the affected system, the correct order of some processing steps is not ensured, which can lead to an l2ald crash and restart.

Recommendations For Junos OS versions prior to 20.4R3-S8, update to version 20.4R3-S8 or later. For Junos OS versions 21.2 prior to 21.2R3-S6, update to version 21.2R3-S6 or later. For Junos OS versions 21.3 prior to 21.3R3-S5, update to version 21.3R3-S5 or later. For Junos OS versions 21.4 prior to 21.4R3-S4, update to version 21.4R3-S4 or later. For Junos OS versions 22.1 prior to 22.1R3-S3, update to version 22.1R3-S3 or later. For Junos OS versions 22.2 prior to 22.2R3-S1, update to version 22.2R3-S1 or later. For Junos OS versions 22.3 prior to 22.3R3, update to version 22.3R3 or later. For Junos OS versions 22.4 prior to 22.4R2, update to version 22.4R2 or later. For Junos OS Evolved versions prior to 20.4R3-S8-EVO, update to version 20.4R3-S8-EVO or later. For Junos OS Evolved versions 21.2-EVO prior to 21.2R3-S6-EVO, update to version 21.2R3-S6-EVO or later. For Junos OS Evolved versions 21.3-EVO prior to 21.3R3-S5-EVO, update to version 21.3R3-S5-EVO or later. For Junos OS Evolved versions 21.4-EVO prior to 21.4R3-S4-EVO, update to version 21.4R3-S4-EVO or later. For Junos OS Evolved versions 22.1-EVO prior to 22.1R3-S3-EVO, update to version 22.1R3-S3-EVO or later. For Junos OS Evolved versions 22.2-EVO prior to 22.2R3-S1-EVO, update to version 22.2R3-S1-EVO or later. For Junos OS Evolved versions 22.3-EVO prior to 22.3R3-EVO, update to version 22.3R3-EVO or later. For Junos OS Evolved versions 22.4-EVO prior to 22.4R2-EVO, update to version 22.4R2-EVO or later.

Fix

DoS

Use After Free

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-416

Related Identifiers

BDU:2024-03133

CVE-2024-30386

Affected Products

Junos

Junos Evolved

PT-2024-2966 · Juniper Networks · Junos+1

CVE-2024-30386

Weakness Enumeration

Related Identifiers

Affected Products

References · 8