CVE-2022-22223: Junos OS: QFX10000 Series: In IP/MPLS PHP node scenarios upon receipt of certain crafted packets multiple interfaces in LAG configurations may detach.

First published: Tue Oct 18 2022(Updated: )

On QFX10000 Series devices using Juniper Networks Junos OS when configured as transit IP/MPLS penultimate hop popping (PHP) nodes with link aggregation group (LAG) interfaces, an Improper Validation of Specified Index, Position, or Offset in Input weakness allows an attacker sending certain IP packets to cause multiple interfaces in the LAG to detach causing a Denial of Service (DoS) condition. Continued receipt and processing of these packets will sustain the Denial of Service. This issue affects IPv4 and IPv6 packets. Packets of either type can cause and sustain the DoS event. These packets can be destined to the device or be transit packets. On devices such as the QFX10008 with line cards, line cards can be restarted to restore service. On devices such as the QFX10002 you can restart the PFE service, or reboot device to restore service. This issue affects: Juniper Networks Junos OS on QFX10000 Series: All versions prior to 15.1R7-S11; 18.4 versions prior to 18.4R2-S10, 18.4R3-S10; 19.1 versions prior to 19.1R3-S8; 19.2 versions prior to 19.2R3-S4; 19.3 versions prior to 19.3R3-S5; 19.4 versions prior to 19.4R2-S6, 19.4R3-S7; 20.1 versions prior to 20.1R3-S3; 20.2 versions prior to 20.2R3-S3; 20.3 versions prior to 20.3R3-S2; 20.4 versions prior to 20.4R3-S4; 21.1 versions prior to 21.1R3; 21.2 versions prior to 21.2R3-S3; 21.3 versions prior to 21.3R3-S1. An indicator of compromise may be seen by issuing the command: request pfe execute target fpc0 command "show jspec pechip[3] registers ps l2_node 10" timeout 0 | refresh 1 | no-more and reviewing for backpressured output; for example: GOT: 0x220702a8 pe.ps.l2_node[10].pkt_cnt 00000076 GOT: 0x220702b4 pe.ps.l2_node[10].backpressured 00000002 <<<< STICKS HERE and requesting detail on the pepic wanio: request pfe execute target fpc0 command "show pepic 0 wanio-info" timeout 0 | no-more | match xe-0/0/0:2 GOT: 3 xe-0/0/0:2 10 6 3 0 1 10 189 10 0x6321b088 <<< LOOK HERE as well as looking for tail drops looking at the interface queue, for example: show interfaces queue xe-0/0/0:2 resulting in: Transmitted: Total-dropped packets: 1094137 0 pps << LOOK HERE

Credit: sirt@juniper.net

Affected Software	Affected Version	How to fix
Juniper JUNOS	<15.1
Juniper JUNOS	=15.1
Juniper JUNOS	=15.1-a1
Juniper JUNOS	=15.1-f
Juniper JUNOS	=15.1-f1
Juniper JUNOS	=15.1-f2
Juniper JUNOS	=15.1-f2-s1
Juniper JUNOS	=15.1-f2-s2
Juniper JUNOS	=15.1-f2-s3
Juniper JUNOS	=15.1-f2-s4
Juniper JUNOS	=15.1-f3
Juniper JUNOS	=15.1-f4
Juniper JUNOS	=15.1-f5
Juniper JUNOS	=15.1-f5-s7
Juniper JUNOS	=15.1-f6
Juniper JUNOS	=15.1-f6-s1
Juniper JUNOS	=15.1-f6-s10
Juniper JUNOS	=15.1-f6-s12
Juniper JUNOS	=15.1-f6-s2
Juniper JUNOS	=15.1-f6-s3
Juniper JUNOS	=15.1-f6-s4
Juniper JUNOS	=15.1-f6-s5
Juniper JUNOS	=15.1-f6-s6
Juniper JUNOS	=15.1-f6-s7
Juniper JUNOS	=15.1-f6-s8
Juniper JUNOS	=15.1-f6-s9
Juniper JUNOS	=15.1-f7
Juniper JUNOS	=15.1-r
Juniper JUNOS	=15.1-r1
Juniper JUNOS	=15.1-r2
Juniper JUNOS	=15.1-r3
Juniper JUNOS	=15.1-r4
Juniper JUNOS	=15.1-r4-s7
Juniper JUNOS	=15.1-r4-s8
Juniper JUNOS	=15.1-r4-s9
Juniper JUNOS	=15.1-r5
Juniper JUNOS	=15.1-r5-s1
Juniper JUNOS	=15.1-r5-s3
Juniper JUNOS	=15.1-r5-s5
Juniper JUNOS	=15.1-r5-s6
Juniper JUNOS	=15.1-r6
Juniper JUNOS	=15.1-r6-s1
Juniper JUNOS	=15.1-r6-s2
Juniper JUNOS	=15.1-r6-s3
Juniper JUNOS	=15.1-r6-s4
Juniper JUNOS	=15.1-r6-s6
Juniper JUNOS	=15.1-r7
Juniper JUNOS	=15.1-r7-s1
Juniper JUNOS	=15.1-r7-s10
Juniper JUNOS	=15.1-r7-s2
Juniper JUNOS	=15.1-r7-s3
Juniper JUNOS	=15.1-r7-s4
Juniper JUNOS	=15.1-r7-s5
Juniper JUNOS	=15.1-r7-s6
Juniper JUNOS	=15.1-r7-s7
Juniper JUNOS	=15.1-r7-s8
Juniper JUNOS	=15.1-r7-s9
Juniper JUNOS	=18.4
Juniper JUNOS	=18.4-r1
Juniper JUNOS	=18.4-r1-s1
Juniper JUNOS	=18.4-r1-s2
Juniper JUNOS	=18.4-r1-s3
Juniper JUNOS	=18.4-r1-s4
Juniper JUNOS	=18.4-r1-s5
Juniper JUNOS	=18.4-r1-s6
Juniper JUNOS	=18.4-r1-s7
Juniper JUNOS	=18.4-r2
Juniper JUNOS	=18.4-r2-s1
Juniper JUNOS	=18.4-r2-s2
Juniper JUNOS	=18.4-r2-s3
Juniper JUNOS	=18.4-r2-s4
Juniper JUNOS	=18.4-r2-s5
Juniper JUNOS	=18.4-r2-s6
Juniper JUNOS	=18.4-r2-s7
Juniper JUNOS	=18.4-r2-s8
Juniper JUNOS	=18.4-r2-s9
Juniper JUNOS	=18.4-r3
Juniper JUNOS	=18.4-r3-s1
Juniper JUNOS	=18.4-r3-s2
Juniper JUNOS	=18.4-r3-s3
Juniper JUNOS	=18.4-r3-s4
Juniper JUNOS	=18.4-r3-s5
Juniper JUNOS	=18.4-r3-s6
Juniper JUNOS	=18.4-r3-s7
Juniper JUNOS	=18.4-r3-s8
Juniper JUNOS	=18.4-r3-s9
Juniper JUNOS	=19.1
Juniper JUNOS	=19.1-r1
Juniper JUNOS	=19.1-r1-s1
Juniper JUNOS	=19.1-r1-s2
Juniper JUNOS	=19.1-r1-s3
Juniper JUNOS	=19.1-r1-s4
Juniper JUNOS	=19.1-r1-s5
Juniper JUNOS	=19.1-r1-s6
Juniper JUNOS	=19.1-r2
Juniper JUNOS	=19.1-r2-s1
Juniper JUNOS	=19.1-r2-s2
Juniper JUNOS	=19.1-r2-s3
Juniper JUNOS	=19.1-r3
Juniper JUNOS	=19.1-r3-s1
Juniper JUNOS	=19.1-r3-s2
Juniper JUNOS	=19.1-r3-s3
Juniper JUNOS	=19.1-r3-s4
Juniper JUNOS	=19.1-r3-s5
Juniper JUNOS	=19.1-r3-s6
Juniper JUNOS	=19.1-r3-s7
Juniper JUNOS	=19.2
Juniper JUNOS	=19.2-r1
Juniper JUNOS	=19.2-r1-s1
Juniper JUNOS	=19.2-r1-s2
Juniper JUNOS	=19.2-r1-s3
Juniper JUNOS	=19.2-r1-s4
Juniper JUNOS	=19.2-r1-s5
Juniper JUNOS	=19.2-r1-s6
Juniper JUNOS	=19.2-r1-s7
Juniper JUNOS	=19.2-r1-s8
Juniper JUNOS	=19.2-r1-s9
Juniper JUNOS	=19.2-r2
Juniper JUNOS	=19.2-r2-s1
Juniper JUNOS	=19.2-r3
Juniper JUNOS	=19.2-r3-s1
Juniper JUNOS	=19.2-r3-s2
Juniper JUNOS	=19.2-r3-s3
Juniper JUNOS	=19.3
Juniper JUNOS	=19.3-r1
Juniper JUNOS	=19.3-r1-s1
Juniper JUNOS	=19.3-r2
Juniper JUNOS	=19.3-r2-s1
Juniper JUNOS	=19.3-r2-s2
Juniper JUNOS	=19.3-r2-s3
Juniper JUNOS	=19.3-r2-s4
Juniper JUNOS	=19.3-r2-s5
Juniper JUNOS	=19.3-r2-s6
Juniper JUNOS	=19.3-r3
Juniper JUNOS	=19.3-r3-s1
Juniper JUNOS	=19.3-r3-s2
Juniper JUNOS	=19.3-r3-s3
Juniper JUNOS	=19.3-r3-s4
Juniper JUNOS	=19.4
Juniper JUNOS	=19.4-r1
Juniper JUNOS	=19.4-r1-s1
Juniper JUNOS	=19.4-r1-s2
Juniper JUNOS	=19.4-r1-s3
Juniper JUNOS	=19.4-r1-s4
Juniper JUNOS	=19.4-r2
Juniper JUNOS	=19.4-r2-s1
Juniper JUNOS	=19.4-r2-s2
Juniper JUNOS	=19.4-r2-s3
Juniper JUNOS	=19.4-r2-s4
Juniper JUNOS	=19.4-r2-s5
Juniper JUNOS	=19.4-r3
Juniper JUNOS	=19.4-r3-s1
Juniper JUNOS	=19.4-r3-s2
Juniper JUNOS	=19.4-r3-s3
Juniper JUNOS	=19.4-r3-s4
Juniper JUNOS	=19.4-r3-s5
Juniper JUNOS	=19.4-r3-s6
Juniper JUNOS	=20.1
Juniper JUNOS	=20.1-r1
Juniper JUNOS	=20.1-r1-s1
Juniper JUNOS	=20.1-r1-s2
Juniper JUNOS	=20.1-r1-s3
Juniper JUNOS	=20.1-r1-s4
Juniper JUNOS	=20.1-r2
Juniper JUNOS	=20.1-r2-s1
Juniper JUNOS	=20.1-r2-s2
Juniper JUNOS	=20.1-r3
Juniper JUNOS	=20.1-r3-s1
Juniper JUNOS	=20.1-r3-s2
Juniper JUNOS	=20.2
Juniper JUNOS	=20.2-r1
Juniper JUNOS	=20.2-r1-s1
Juniper JUNOS	=20.2-r1-s2
Juniper JUNOS	=20.2-r1-s3
Juniper JUNOS	=20.2-r2
Juniper JUNOS	=20.2-r2-s1
Juniper JUNOS	=20.2-r2-s2
Juniper JUNOS	=20.2-r2-s3
Juniper JUNOS	=20.2-r3
Juniper JUNOS	=20.2-r3-s1
Juniper JUNOS	=20.2-r3-s2
Juniper JUNOS	=20.3
Juniper JUNOS	=20.3-r1
Juniper JUNOS	=20.3-r1-s1
Juniper JUNOS	=20.3-r1-s2
Juniper JUNOS	=20.3-r2
Juniper JUNOS	=20.3-r2-s1
Juniper JUNOS	=20.3-r3
Juniper JUNOS	=20.3-r3-s1
Juniper JUNOS	=20.4
Juniper JUNOS	=20.4-r1
Juniper JUNOS	=20.4-r1-s1
Juniper JUNOS	=20.4-r2
Juniper JUNOS	=20.4-r2-s1
Juniper JUNOS	=20.4-r2-s2
Juniper JUNOS	=20.4-r3
Juniper JUNOS	=20.4-r3-s1
Juniper JUNOS	=20.4-r3-s2
Juniper JUNOS	=20.4-r3-s3
Juniper JUNOS	=21.1
Juniper JUNOS	=21.1-r1
Juniper JUNOS	=21.1-r1-s1
Juniper JUNOS	=21.1-r2
Juniper JUNOS	=21.1-r2-s1
Juniper JUNOS	=21.1-r2-s2
Juniper JUNOS	=21.2
Juniper JUNOS	=21.2-r1
Juniper JUNOS	=21.2-r1-s1
Juniper JUNOS	=21.2-r1-s2
Juniper JUNOS	=21.2-r2
Juniper JUNOS	=21.2-r2-s1
Juniper JUNOS	=21.2-r2-s2
Juniper JUNOS	=21.2-r3
Juniper JUNOS	=21.2-r3-s2
Juniper JUNOS	=21.3
Juniper JUNOS	=21.3-r1
Juniper JUNOS	=21.3-r1-s1
Juniper JUNOS	=21.3-r1-s2
Juniper JUNOS	=21.3-r2
Juniper JUNOS	=21.3-r2-s1
Juniper JUNOS	=21.3-r2-s2
Juniper JUNOS	=21.3-r3
Juniper Qfx10002
Juniper Qfx10008
Juniper Qfx10016

Remedy

The following software releases have been updated to resolve this specific issue: 15.1R7-S11, 18.4R2-S10, 18.4R3-S10, 19.1R3-S8, 19.2R3-S4, 19.3R3-S5, 19.4R2-S6, 19.4R3-S7, 20.1R3-S3, 20.2R3-S3, 20.3R3-S2, 20.4R3-S4, 21.1R3, 21.2R3-S3, 21.3R3-S1 21.4R1, and all subsequent releases.

Never miss a vulnerability like this again

Reference Links

https://kb.juniper.net/JSA69873

collector/nvd-index
agent/type
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/remedy
agent/severity
agent/author
agent/weakness
agent/title
agent/last-modified-date
agent/references
agent/tags
agent/description
agent/first-publish-date
agent/event
vendor/juniper
canonical/juniper junos
version/juniper junos/15.1
version/juniper junos/15.1-a1
version/juniper junos/15.1-f
version/juniper junos/15.1-f1
version/juniper junos/15.1-f2
version/juniper junos/15.1-f2-s1
version/juniper junos/15.1-f2-s2
version/juniper junos/15.1-f2-s3
version/juniper junos/15.1-f2-s4
version/juniper junos/15.1-f3
version/juniper junos/15.1-f4
version/juniper junos/15.1-f5
version/juniper junos/15.1-f5-s7
version/juniper junos/15.1-f6
version/juniper junos/15.1-f6-s1
version/juniper junos/15.1-f6-s10
version/juniper junos/15.1-f6-s12
version/juniper junos/15.1-f6-s2
version/juniper junos/15.1-f6-s3
version/juniper junos/15.1-f6-s4
version/juniper junos/15.1-f6-s5
version/juniper junos/15.1-f6-s6
version/juniper junos/15.1-f6-s7
version/juniper junos/15.1-f6-s8
version/juniper junos/15.1-f6-s9
version/juniper junos/15.1-f7
version/juniper junos/15.1-r
version/juniper junos/15.1-r1
version/juniper junos/15.1-r2
version/juniper junos/15.1-r3
version/juniper junos/15.1-r4
version/juniper junos/15.1-r4-s7
version/juniper junos/15.1-r4-s8
version/juniper junos/15.1-r4-s9
version/juniper junos/15.1-r5
version/juniper junos/15.1-r5-s1
version/juniper junos/15.1-r5-s3
version/juniper junos/15.1-r5-s5
version/juniper junos/15.1-r5-s6
version/juniper junos/15.1-r6
version/juniper junos/15.1-r6-s1
version/juniper junos/15.1-r6-s2
version/juniper junos/15.1-r6-s3
version/juniper junos/15.1-r6-s4
version/juniper junos/15.1-r6-s6
version/juniper junos/15.1-r7
version/juniper junos/15.1-r7-s1
version/juniper junos/15.1-r7-s10
version/juniper junos/15.1-r7-s2
version/juniper junos/15.1-r7-s3
version/juniper junos/15.1-r7-s4
version/juniper junos/15.1-r7-s5
version/juniper junos/15.1-r7-s6
version/juniper junos/15.1-r7-s7
version/juniper junos/15.1-r7-s8
version/juniper junos/15.1-r7-s9
version/juniper junos/18.4
version/juniper junos/18.4-r1
version/juniper junos/18.4-r1-s1
version/juniper junos/18.4-r1-s2
version/juniper junos/18.4-r1-s3
version/juniper junos/18.4-r1-s4
version/juniper junos/18.4-r1-s5
version/juniper junos/18.4-r1-s6
version/juniper junos/18.4-r1-s7
version/juniper junos/18.4-r2
version/juniper junos/18.4-r2-s1
version/juniper junos/18.4-r2-s2
version/juniper junos/18.4-r2-s3
version/juniper junos/18.4-r2-s4
version/juniper junos/18.4-r2-s5
version/juniper junos/18.4-r2-s6
version/juniper junos/18.4-r2-s7
version/juniper junos/18.4-r2-s8
version/juniper junos/18.4-r2-s9
version/juniper junos/18.4-r3
version/juniper junos/18.4-r3-s1
version/juniper junos/18.4-r3-s2
version/juniper junos/18.4-r3-s3
version/juniper junos/18.4-r3-s4
version/juniper junos/18.4-r3-s5
version/juniper junos/18.4-r3-s6
version/juniper junos/18.4-r3-s7
version/juniper junos/18.4-r3-s8
version/juniper junos/18.4-r3-s9
version/juniper junos/19.1
version/juniper junos/19.1-r1
version/juniper junos/19.1-r1-s1
version/juniper junos/19.1-r1-s2
version/juniper junos/19.1-r1-s3
version/juniper junos/19.1-r1-s4
version/juniper junos/19.1-r1-s5
version/juniper junos/19.1-r1-s6
version/juniper junos/19.1-r2
version/juniper junos/19.1-r2-s1
version/juniper junos/19.1-r2-s2
version/juniper junos/19.1-r2-s3
version/juniper junos/19.1-r3
version/juniper junos/19.1-r3-s1
version/juniper junos/19.1-r3-s2
version/juniper junos/19.1-r3-s3
version/juniper junos/19.1-r3-s4
version/juniper junos/19.1-r3-s5
version/juniper junos/19.1-r3-s6
version/juniper junos/19.1-r3-s7
version/juniper junos/19.2
version/juniper junos/19.2-r1
version/juniper junos/19.2-r1-s1
version/juniper junos/19.2-r1-s2
version/juniper junos/19.2-r1-s3
version/juniper junos/19.2-r1-s4
version/juniper junos/19.2-r1-s5
version/juniper junos/19.2-r1-s6
version/juniper junos/19.2-r1-s7
version/juniper junos/19.2-r1-s8
version/juniper junos/19.2-r1-s9
version/juniper junos/19.2-r2
version/juniper junos/19.2-r2-s1
version/juniper junos/19.2-r3
version/juniper junos/19.2-r3-s1
version/juniper junos/19.2-r3-s2
version/juniper junos/19.2-r3-s3
version/juniper junos/19.3
version/juniper junos/19.3-r1
version/juniper junos/19.3-r1-s1
version/juniper junos/19.3-r2
version/juniper junos/19.3-r2-s1
version/juniper junos/19.3-r2-s2
version/juniper junos/19.3-r2-s3
version/juniper junos/19.3-r2-s4
version/juniper junos/19.3-r2-s5
version/juniper junos/19.3-r2-s6
version/juniper junos/19.3-r3
version/juniper junos/19.3-r3-s1
version/juniper junos/19.3-r3-s2
version/juniper junos/19.3-r3-s3
version/juniper junos/19.3-r3-s4
version/juniper junos/19.4
version/juniper junos/19.4-r1
version/juniper junos/19.4-r1-s1
version/juniper junos/19.4-r1-s2
version/juniper junos/19.4-r1-s3
version/juniper junos/19.4-r1-s4
version/juniper junos/19.4-r2
version/juniper junos/19.4-r2-s1
version/juniper junos/19.4-r2-s2
version/juniper junos/19.4-r2-s3
version/juniper junos/19.4-r2-s4
version/juniper junos/19.4-r2-s5
version/juniper junos/19.4-r3
version/juniper junos/19.4-r3-s1
version/juniper junos/19.4-r3-s2
version/juniper junos/19.4-r3-s3
version/juniper junos/19.4-r3-s4
version/juniper junos/19.4-r3-s5
version/juniper junos/19.4-r3-s6
version/juniper junos/20.1
version/juniper junos/20.1-r1
version/juniper junos/20.1-r1-s1
version/juniper junos/20.1-r1-s2
version/juniper junos/20.1-r1-s3
version/juniper junos/20.1-r1-s4
version/juniper junos/20.1-r2
version/juniper junos/20.1-r2-s1
version/juniper junos/20.1-r2-s2
version/juniper junos/20.1-r3
version/juniper junos/20.1-r3-s1
version/juniper junos/20.1-r3-s2
version/juniper junos/20.2
version/juniper junos/20.2-r1
version/juniper junos/20.2-r1-s1
version/juniper junos/20.2-r1-s2
version/juniper junos/20.2-r1-s3
version/juniper junos/20.2-r2
version/juniper junos/20.2-r2-s1
version/juniper junos/20.2-r2-s2
version/juniper junos/20.2-r2-s3
version/juniper junos/20.2-r3
version/juniper junos/20.2-r3-s1
version/juniper junos/20.2-r3-s2
version/juniper junos/20.3
version/juniper junos/20.3-r1
version/juniper junos/20.3-r1-s1
version/juniper junos/20.3-r1-s2
version/juniper junos/20.3-r2
version/juniper junos/20.3-r2-s1
version/juniper junos/20.3-r3
version/juniper junos/20.3-r3-s1
version/juniper junos/20.4
version/juniper junos/20.4-r1
version/juniper junos/20.4-r1-s1
version/juniper junos/20.4-r2
version/juniper junos/20.4-r2-s1
version/juniper junos/20.4-r2-s2
version/juniper junos/20.4-r3
version/juniper junos/20.4-r3-s1
version/juniper junos/20.4-r3-s2
version/juniper junos/20.4-r3-s3
version/juniper junos/21.1
version/juniper junos/21.1-r1
version/juniper junos/21.1-r1-s1
version/juniper junos/21.1-r2
version/juniper junos/21.1-r2-s1
version/juniper junos/21.1-r2-s2
version/juniper junos/21.2
version/juniper junos/21.2-r1
version/juniper junos/21.2-r1-s1
version/juniper junos/21.2-r1-s2
version/juniper junos/21.2-r2
version/juniper junos/21.2-r2-s1
version/juniper junos/21.2-r2-s2
version/juniper junos/21.2-r3
version/juniper junos/21.2-r3-s2
version/juniper junos/21.3
version/juniper junos/21.3-r1
version/juniper junos/21.3-r1-s1
version/juniper junos/21.3-r1-s2
version/juniper junos/21.3-r2
version/juniper junos/21.3-r2-s1
version/juniper junos/21.3-r2-s2
version/juniper junos/21.3-r3
canonical/juniper qfx10002
canonical/juniper qfx10008
canonical/juniper qfx10016

CVE-2022-22223: Junos OS: QFX10000 Series: In IP/MPLS PHP node scenarios upon receipt of certain crafted packets multiple interfaces in LAG configurations may detach.

Remedy

Never miss a vulnerability like this again

Reference Links

Company

Resources

Contact