Out of Cycle Security Bulletin: ScreenOS: Multiple Security issues with ScreenOS

During an internal code review, two security issues were identified.

Administrative Access (CVE-2015-7755) allows unauthorized remote administrative access to the device. Exploitation of this vulnerability can lead to complete compromise of the affected device.

This issue only affects ScreenOS 6.3.0r17 through 6.3.0r20.  No other Juniper products or versions of ScreenOS are affected by this issue.

Upon exploitation of this vulnerability, the log file would contain an entry that ‘system’ had logged on followed by password authentication for a username.

Example:

Normal login by user username1:
2015-12-17 09:00:00 system warn 00515 Admin user username1 has logged on via SSH from …..
2015-12-17 09:00:00 system warn 00528 SSH: Password authentication successful for admin user ‘username1’ at host …

Compromised login by user username2:
2015-12-17 09:00:00 system warn 00515 Admin user system has logged on via SSH from …..
2015-12-17 09:00:00 system warn 00528 SSH: Password authentication successful for admin user ‘username2’ at host …

Note that a skilled attacker would likely remove these entries from the local log file, thus effectively eliminating any reliable signature that the device had been compromised.

This issue has been assigned CVE-2015-7755.


VPN Decryption (CVE-2015-7756) may allow a knowledgeable attacker who can monitor VPN traffic to decrypt that traffic. It is independent of the first issue.

This issue affects ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20. No other Juniper products or versions of ScreenOS are affected by this issue.

There is no way to detect that this vulnerability was exploited.

This issue has been assigned CVE-2015-7756.


Juniper SIRT is not aware of any malicious exploitation of these vulnerabilities, however the password needed for the administrative access has been revealed publicly.

No other Juniper Networks products or platforms are affected by these issues.

Juniper has issued a statement about these vulnerabilities at: http://forums.juniper.net/t5/Security-Incident-Response/bg-p/SIRT

Solution:

The following software releases have been updated to resolve these specific issues: ScreenOS 6.2.0r19, 6.3.0r21, and all subsequent releases.

Additionally, earlier affected releases of ScreenOS 6.3.0 have been respun to resolve these issues. Fixes are included in: 6.3.0r12b, 6.3.0r13b, 6.3.0r14b, 6.3.0r15b, 6.3.0r16b, 6.3.0r17b, 6.3.0r18b, 6.3.0r19b.

All affected software releases on http://www.juniper.net/support/downloads/screenos.html have been updated with these fixes.

KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies.

Workaround:

The Juniper SIRT strongly recommends upgrading to a fixed release (in Solution section above) to resolve these critical vulnerabilities.

CVE-2015-7755 (unauthorized access) Mitigation
Restricting management access to only trusted management networks and hosts will help mitigate this issue. The attack can only be executed from a location where a legitimate management login would be permitted.

CVE-2015-7756 (VPN decryption) Mitigation
No workaround or detection exists for the VPN decryption vulnerability.

Security Best Current Practice (BCP)
In addition to the recommendations listed above, it is good security practice to limit the exploitable attack surface of critical infrastructure networking equipment. Use access lists or firewall filters to limit management access to the device only from trusted, internal, administrative networks or hosts.

Implementation:
How to obtain fixed software:
ScreenOS software releases are available at http://www.juniper.net/support/downloads/screenos.html

Secure Development Life Cycle

Six practices for improving product security

Juniper Secure Development Life Cycle (SDL) is a process for developing products that are secure and resilient. Juniper’s SDL program is made up of six core practices.

Practice #1: Secure Coding Training

Secure Coding training is the first step in implementing the Secure Development Life Cycle. All software developers at Juniper are required to take this training, which is foundational for building more resilient software. Training is provided in multiple coding languages, with developers taking the appropriate course.

Secure Coding training covers fundamental concepts related to secure coding, secure design, secure testing, and privacy.

Juniper believes that everyone involved in software development is responsible for the security of software products. This includes managers, program managers, testers, and IT personnel. With this in mind, secure development lifecycle training is available to all employees 24 hours a day, 7 days a week, and it offers a range of additional training covering secure coding fundamentals.

Practice #2: Security Considerations in Design

SDL Practice 2 defines the security-related steps that Juniper engineers and product managers must undertake in the planning phase of product development. During this phase, engineers and product managers are required to formally address security risks in Juniper planning documents like functional specifications and product requirements documents.

Practice #3: Threat Modeling

Threat modeling evaluates potential threats to a product. Threat modeling determines risks from those threats and sets the boundaries for a range of appropriate mitigations.

Threat models help developers define product attack surfaces, meaning the breadth and depth of exposure to compromise. For example, a weak password can be exploited by a brute force attack, or the use of a predictable TCP/IP ephemeral port may allow an attacker to mount a TCP reset attack.

Threat modeling builds a framework for deeper security evaluation by identifying and enumerating issues.

Practice #4: Penetration Testing

Once a product’s security posture has been defined, Juniper’s SDL calls for the evaluation and validation of the security risks through penetration testing. Penetration testing is a security evaluation methodology in which ethical hackers mimic real-world attacks to identify methods for circumventing the security features of an application, system, or network. It involves launching real attacks on test systems, using tools and techniques commonly used by adversaries.

Penetration testing makes use of the threat model to devise a penetration test plan based on enumerated attack surfaces and threats.

Practice #5: Release Security Review

The release security review is the examination of a product’s security posture prior to its release with the goal of identifying and evaluating remaining security risks and the findings from all parts of the SDL. The result should be a big picture of the security posture of not just the software release, but the people, systems, and processes that produced it and have to support it over its lifecycle.

Practice #6: Incident Response Plan

Products released with no known vulnerabilities can become subject to threats over time. The incident response plan outlines how Juniper responds to potential product vulnerabilities and how these threats and mitigations are communicated to customers.

This practice builds on Juniper’s industry-respected Juniper Networks Security Incident Response Team (Juniper SIRT) framework for responding to security issues. In responding to security incidents, the plan relies on existing SIRT tools, best practices, processes, and relationships.

JTAC Recommended Junos Software Versions

SRX Series Services Gateways

Platform	JTAC Recommended Junos Software by Platform	Release Type	Last Updated
vSRX	Junos 15.1X49-D15.4	Standard	04 Sep 2015
SRX100B/H	Junos 12.1X46-D40.2	Standard	18 Nov 2015
SRX100H2	Junos 12.1X46-D40.2	Standard	18 Nov 2015
SRX110H	Junos 12.1X46-D40.2	Standard	18 Nov 2015
SRX110H2	Junos 12.1X46-D40.2	Standard	18 Nov 2015
SRX210B/H/BE/HE	Junos 12.1X46-D40.2	Standard	18 Nov 2015
SRX210H2	Junos 12.1X46-D40.2	Standard	18 Nov 2015
SRX220H	Junos 12.1X46-D40.2	Standard	18 Nov 2015
SRX220H2	Junos 12.1X46-D40.2	Standard	18 Nov 2015
SRX240B/H/B2/H2	Junos 12.1X46-D40.2	Standard	18 Nov 2015
SRX550	Junos 12.1X46-D40.2	Standard	18 Nov 2015
SRX650	Junos 12.1X46-D40.2	Standard	18 Nov 2015
SRX1400	Junos 12.1X46-D40.2	Standard	18 Nov 2015
SRX3400	Junos 12.1X46-D40.2	Standard	18 Nov 2015
SRX3600	Junos 12.1X46-D40.2	Standard	18 Nov 2015
SRX5400	Junos 12.1X46-D40.2 (*1)	Standard	18 Nov 2015
SRX5400 w/RE-1800X4	Junos 12.1X47-D20.7	Standard	11 May 2015
SRX5400 w/IOC3	Junos 15.1X49-D10.1	Standard	04 Sep 2015
SRX5600	Junos 12.1X46-D40.2 (*1)	Standard	18 Nov 2015
SRX5600 w/RE-1800X4	Junos 12.1X47-D20.7	Standard	11 May 2015
SRX5600 w/IOC3	Junos 15.1X49-D10.1	Standard	04 Sep 2015
SRX5800	Junos 12.1X46-D40.2 (*1)	Standard	18 Nov 2015
SRX5800 w/RE-1800X4	Junos 12.1X47-D20.7	Standard	11 May 2015
SRX5800 w/IOC3	Junos 15.1X49-D10.1	Standard	04 Sep 2015

Hardware End of Life Announcement - SRX100, SRX210, SRX240 and SRX650

End of Life for the SRX-series products listed in the attached document. This EOL announcement is effective immediately with a Last Order Date (LOD) of May 1, 2016. On the last order date, the products are removed from the pricelist and are no longer orderable.

How to Configure SRX Security Zones with Junos

You cannot manage the SRX Services Gateway as you would a router. The SRX is a locked-down device. You can’t even ping an interface on the SRX initially, even if it has a valid IP address. The SRX uses the concept of nested security zones. Zones are a critical concept in SRX configuration. No traffic goes in or out unless the security zones are configured properly on the SRX interfaces.
To configure a security zone, you need to associate the interface with a security zone, and then the security zones need to be bound with a routing instance (if there are multiple routing instances).
It sounds complicated, but it’s not. First, you configure the zones and then you associate the interfaces with the zones. Here, we're assuming that you’re using only one routing instance. You can configure a zone with more than one interface. However, each interface can belong to only one zone.
Now, establish two security zones for a simple SRX configuration. One zone is for a local LAN called admins (administration) on interface ge-0/0/0.0, and the other zone is for two links to the Internet called untrust with interfaces ge-0/0/1.0 and ge-0/0/2.0:

root# edit security zones
[edit security zones]
root# set security zone admins
root# set security zone untrust
root# set security zone admins interfaces ge-0/0/0.0
root# set security zone untrust interfaces ge-0/0/1.0
root# set security zone untrust interfaces ge-0/0/2.0

Always configure zones from the perspective of the SRX you are configuring. Many other zones may be on the LAN (trust, accounting, and so on). But this SRX only links to admins and untrust.

Now you can add services to the zones you just configured. Assume that inbound ssh, ftp, and ping traffic is permitted from the untrusted zone.
This is just an example. Before you enable any services at all on your SRX, make sure you truly need them. FTP in particular is often considered risky because FTP has no real security, and you just punched a big hole for it in your security zone.

[edit security zones]
root# set security zone untrust host-inbound-traffic ssh
root# set security zone untrust host-inbound-traffic ftp
root# set security zone untrust host-inbound-traffic ping

Your configuration now looks like this:

[edit security]
zones {
  security-zone untrust {
   host-inbound-traffic {
     system-services {
      ssh;
      ftp;
      ping;
     }
   }   
   interfaces {
     ge-0/0/1.0;
     ge-0/0/2.0; 
   }
  }
  security-zone admins {
   interfaces {
     ge-0/0/0.0;
     }
   }

ScreenOS: Network based denial of service vulnerability in ScreenOS

Product Affected:

This issue can affect any Netscreen and ScreenOS Series products running ScreenOS.

 
Problem:

A vulnerability in ScreenOS L2TP packet processing may allow a remote network based attacker to cause a denial of service condition on ScreenOS devices by sending a crafted L2TP packet.

This issue is assigned CVE-2015-7750.

 
Solution:

​This issue has been resolved in ScreenOS 6.3.0r13-dnd1 and 6.3.0r18-dnc1.

This issue is being tracked as PR 1086779 and is visible on the Customer Support website.

KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies.​​

Workaround:
On ScreenOS 6.3.0 this issue can be mitigated by not configuring L2TP settings.

Cisco/Juniper Commands

Cisco Command	Juniper Command	Co-Ordinating Definition
show run	sh configuration	Show running configuration
sh ver	sh ver	Show version
show ip interface brief	show interface terse	displays the status of interfaces configured for IP
show interface [intfc]	show interfaces [intfc] detail	displays the interface configuration, status and statistics.
show controller intfc	show interfaces intfc extensive	displays information about a physical port device
show interface | incl (proto|Desc)	show interfaces description	displays the interface configuration, status and statistics
show ip route	show route	displays summary information about entries in the routing table
show ip bgp summary	show bgp summary	displays the status of all Border Gateway Protocol (BGP) connections
show ip bgp net mask	show route protocol bgp prefix	will show you how that route is being advertised, look for the first line
show ip bgp net mask longer-prefixes	show route range prefix	will show you how that route is being advertised, look for the first line
show ip bgp regexp AS-regexp	show route aspath-regexp "AS-regexp"	displays routes matching the autonomous system (AS) path regular expression
show ip bgp neighbors neigh received-routes	show route receive-protocol bgp neigh show route source-gateway neigh protocol bgp	Shows whether a neighbor supports the route refresh capability
show ip bgp neighbor neigh advertised-routes	show route advertising-protocol bgp neigh	Shows whether a neighbor supports the route refresh capability
show clns neighbors	show isis adjacency	displays both ES and IS neighbors
show clns interface	show isis interface	shows specific information about each interface
show ip route isis	show isis routes	displays the current state of the the routing table
show isis topology	show isis spf	displays a list of all connected routers in all areas
show ip ospf interface	show ospf neighbor	shows neighbor ID, Priority, IP, & State if the neighbor router, dead time.
show ip ospf interface	show ospf interface	shows neighbor id, pri, state, dead time, address and interface
show ip route ospf	show ospf route	display the current state of the routing table
show ip ospf database	show ospf database	display list of information related to the OSPF database for a specific communication server
show version	show version, show system uptime	display the system hardware config., software version, and name and source of configuration files and boot images
show diags	show chasis hardware	displays power-on diagnostics status
show processes cpu	show system process	displays utilization statistics
show tech-support	request support info	displays the current software image, configuration, controllers, counters, stacks, interfaces, memory and buffers
show logging	show log messages	display the state of logging to the syslog
show route-map name	show policy name	displayall route-maps configured or only the one specified
show ip prefix-list name	show policy name	display information about a prefix list or prefix list entries
show ip community-list list	configure,  show policy-options community name	display routes that are permitted by BGP community list
show environment all	show chassis  environment	displays temperature and voltage information on the console
ping dest	ping dest rapid (for cisco like output) ping dest (for unix like output)	to check to see if a destination is alive
ping (setting source int)	ping dest bypass-routing	to check to see if a destination is alive
terminal monitor	monitor start messages	Change console terminal settings
terminal no monitor	monitor stop	Change console terminal settings
terminal length 0	set cli screen-length 0	sets the length for displaying command output

Junos: Enterprise networks gain scalability, security, and flexibility.

As businesses move to the cloud to solve their data management and access problems, they see a critical need for solutions that can help them bridge the gap between their existing environment and their vision of a more agile and flexible network.

In today’s enterprise campus, the majority of networks are manual systems comprising layers of switches, VLANs, and security products, each adding operational complexity. Because these layers must be administered manually, they introduce the potential for human errors that can disrupt services and open security gaps.

These challenges are prompting a growing number of enterprises to adopt cloud technologies as their primary operating model. With the right tools and platforms, enterprises can transform their campus network into a critical on-ramp to cloud-based applications that are deployed in private clouds and on-premise data centers or hosted in remote locations.

Cloud-Enable the Enterprise Campus

Enter Juniper Unite - a simple and secure cloud-enabled infrastructure that supports a diverse set of devices, applications, people, and things.

Juniper Unite dynamically provides network infrastructure to support any business imperative while improving your employees’ business productivity securely, wherever they are.

• Simplified infrastructure that is scalable and resilient to keep up with the demands of users and cloud applications. Combined with a management interface that provides zero-touch provisioning and visibility into network operations, these elements lower the costs associated with today’s brittle and complex enterprise networks.
• Comprehensive enterprise security that provides visibility into the network and the ability to defend against threats in real time via a multitude of sensors and third-party feeds.
• Open Convergence Framework with APIs that integrate with best-of-breed technology such as WLAN and unified communications or security feeds. The APIs also offer automation and orchestration capabilities for the future.

Juniper Unite delivers high-scale service capabilities for enterprise IT departments, with innovation derived from building the world’s largest cloud-based networks and tailoring it to the enterprise.

Hardware End of Life Announcement – COMPL - NEBS - M120 - S

This document announces the End of Life for the productlisted in the table below. This EOL announcement iseffective immediately with a Last Order Date (LOD) ofFebruary 28, 2016. On the last order date,the product isremoved from the pricelist and isno longer orderable.

Software Release Notification: Junos OS 14.2R4

Junos OS 14.2R4 is now available.

Download Junos OS Software:

1. Go to Junos Platforms - Download Software page.
2. Select your product.
3. Under 'Version' on the right, select your version.
4. Click the "Software" tab.
5. Select the Install Package Release needed, and follow the prompts.

Juniper Expands Junos from Network OS to Full Platform

Juniper has expanded its Junos software portfolio beyond the operating system, adding new capabilities to link into the application space as well as client software for mobile and personal computing devices.
Together, the Junos operating system, the Junos Space network application platform, and the Junos Pulse client form the Junos Platform.

 By integrating these software layers of the network into one platform, Juniper is expanding the ways that applications can interact with the network from the cloud out to the end user.

As part of the Junos Platform, Juniper provides a set of programming interfaces and software development kits (SDKs) that developers can use to specify the application interactions.

Unlike other platforms that merely enable third parties to interface through APIs, these SDKs give application developers a broad set of development interfaces and tools to build a wide variety of applications richly integrated to the Junos Platform.

Junos Space application development and hosting

Junos Space is an open network platform for developing and hosting applications that interact with the network. The Junos Space platform provides multilayered network abstractions and workflows that allow users to automate network operations and increase operator efficiency.

The software includes a scalable runtime environment with multitenant, hot-pluggable network application support, a network application development framework, and a web 2.0 user interface.

Junos Space provides a development environment for fast development of network-aware applications. The application development framework includes a common infrastructure, a software development kit (SDK) with prebuilt core services and widgets to allow easy user-interface prototyping, and standards-based APIs for third-party application integration. Using the Junos Space SDK, developers have the option of creating different classes of applications. These include mashups, customized business process workflows, and native applications.

OpenFlow Support on Devices Running Junos OS

Table 1 lists the devices running Junos OS that support OpenFlow. For each device, the table lists the supported OpenFlow versions, the initial Junos OS Release that must be installed for support of a particular OpenFlow version, and the corresponding OpenFlow software package for that device and Junos OS release. The OpenFlow software package release must match the Junos OS release of the device on which the software is installed.

Table 1: OpenFlow Support on Devices Running Junos OS

Device	OpenFlow Version	Junos OS Release	Software Package
EX4550 Ethernet switches	v1.0	13.2X51-D20	jsdn-powerpc
EX9200 Ethernet switches	v1.0 v1.3.1	13.3R1 14.2R1	jsdn-i386
MX80 3D Universal Edge routers	v1.0 v1.3.1	13.3R1 14.2R1	jsdn-powerpc
MX240, MX480, MX960 3D Universal Edge routers	v1.0 v1.3.1	13.3R1 14.2R1	jsdn-i386
QFX5100 Ethernet switches	v1.0 v1.3.1	14.1X53-D10 14.1X53-D10	jsdn-i386

Table 2 lists support for various OpenFlow features on devices running Junos OS that support OpenFlow.

Table 2: OpenFlow Features Supported on Devices Running Junos OS

Device	Hybrid Interfaces	Multi-VLAN Support	OpenFlow over MPLS
EX4550 Ethernet switches	No	No	No
EX9200 Ethernet switches	Yes	Yes	No
MX80 3D Universal Edge router	Yes	Yes	Yes
MX240, MX480, MX960 3D Universal Edge routers	Yes	Yes	Yes
QFX5100 Ethernet Switches	No	Yes	No

vSRX

Overview

Data centers increasingly rely on server virtualization to deliver services faster and more efficiently than ever before. But virtualization introduces a new set of security risks. Network and security professionals must perform a delicate balancing act, delivering the benefits of virtualization and cloud technologies without undermining the security of the organization.

This challenge can only be met by a new breed of security solutions that keep pace with evolving threats while matching the agility and scalability of virtualized and cloud environments—without sacrificing reliability, visibility or control.

The vSRX virtual firewall answers this challenge with a complete and integrated virtual security solution, including core firewall, robust networking, advanced security services at Layers 4–7, and automated lifecycle management capabilities for enterprises and service providers alike. Automated provisioning capabilities, enabled through Junos® Space Virtual Director, let you quickly and efficiently deploy scalable firewall protection to meet the dynamic needs of virtualized and cloud environments.

Features

• Extends proven SRX Series Services Gateway capabilities to virtualized and cloud environments.
• Delivers robust connectivity and routing features, including IPsec VPN, Network Address Translation (NAT) and advanced routing.
• Provides mission-critical reliability for business continuity, with support for stateful active/active and active/passive high-availability deployment options.
• Integrates virtualization-specific unified threat management (UTM), intrusion prevention system (IPS) and AppSecure 2.0 services for a comprehensive threat management framework.
• Automates the virtual machine (VM) lifecycle, from provisioning through decommissioning, with Junos Space Virtual Director.
• Centralizes security policy management across physical and virtual environments through Junos Space Security Director.
• Supports SDN and NFV via integration with Contrail, OpenContrail and third-party SDN solutions.

Junos: SRX 'set system ports console insecure' not functioning as expected (CVE-2015-3007)

Product Affected:

This issue affects the SRX Series services gateways running Junos OS 12.1X46-D15 and later releases.

Problem:

On SRX Series services gateways, the 'set system ports console insecure' feature does not work as expected. This feature is intended to prevent non-root users from performing password recovery using the console (see KB22619). This vulnerability may allow a non-root user with physical access to the console port to gain full administrative privileges.

This issue affects SRX Series services gateways only. No other Junos devices are affected.

This feature was first introduced in SRX 12.1X46-D15. Earlier releases are unaffected by this vulnerability.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

No other Juniper Networks products or platforms are affected by this issue.

This issue has been assigned CVE-2015-3007.

Solution:

The following software releases have been updated to resolve this specific issue: Junos OS 12.1X46-D35, 12.1X47-D25, 12.3X48-D15, and all subsequent releases.

This issue is being tracked as PR 1016488 and is visible on the Customer Support website.

KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies.

Workaround:

Protect SRX Series services gateways from unauthorized console and/or physical access.

Implementation:
How to obtain fixed software:
Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request.

Next-gen vSRX firewall

Juniper’s new software evaluation program makes it easy for you to try vSRX and see for yourself how our newest next-generation firewall automates and scales with maximum control and efficiency.
All you have to do is download, install and put it to work for 60 days. If at the end of the trial period you want to purchase vSRX, there’s a simple conversion process—no need to re-install it!

Three Steps to Start Your vSRX Trial

1. Select your version of vSRX from the list below. (By clicking the link, you accept the Juniper End-User License Agreement.)
2. Log into your Juniper user account to start the download. If you don't have an account, you can create one.
3. You have the option to download the trial license key to enable advanced security features, including UTM, IPS, and AppSecure, for 30 days.

Click here for instructions on how to install the license key.

Application Package	Release	Format	Size	File Date
vSRX (Formerly Firefly Perimeter) KVM Appliance Checksum MD5: 11a141629a3896f82cb65d65bceaefd5 SHA1: 6ff650b771fe966e56069c37b0958c737a477b96	12.1X47-D20	jva	233,339,238	09 Mar 2015
vSRX (Formerly Firefly Perimeter) Upgrade TGZ Checksum MD5: ffb80cebee8a685a25bc71fe1a910c49 SHA1: 40f0efc1aac9e2711e697563f66f0ba673eae75f	12.1X47-D20	tgz	231,821,106	11 Mar 2015
vSRX (Formerly Firefly Perimeter) VMware Appliance Checksum MD5: 5a992d618b8b40fa4a3cffd234636643 SHA1: ccbac5b5e4075384dc8657d9d4d0661a9f33e469	12.1X47-D20	ova	235,960,320	09 Mar 2015

Software	Release	Format	Size	File Date
Certificate Chain (Juniper Root Certificate chain file that allows you to validate the signed image) Checksum MD5: f4a12bbd4d3e775b817d50f8aafba702 SHA1: ee06bb219afa18cf6947b6cbcb8f92197dab973b	12.1X47-D20	pem	1,744	27 Aug 2014

Contrail - Juniper SDN Controller

Contrail is a simple, open and agile software defined networking solution that automates and orchestrates the creation of highly scalable virtual networks. Contrail makes it easy to connect clouds and the virtualized resources within them—quickly, at scale and without changes to your underlying physical network.

Simple, open and agile. Juniper Networks Contrail uniquely delivers on all three:

• Simple — using existing networking protocols makes it easy to connect virtual networks and physical networks.
• Open — with Contrail you don’t need to worry about vendor lock-in. We interoperate seamlessly with a wide range of hypervisors and open orchestration systems.
• Agile — rapidly create virtual networks to public, private and hybrid clouds, while deep analytics capabilities give you unparalleled visibility and insights.

Service providers can use Contrail to enable a range of innovative new services, including cloud-based offerings and virtualized managed services. For enterprises, Contrail can increase business agility by enabling the migration of applications and IT resources to more flexible private or hybrid cloud environments.

Hardware End of Life Reminder - PB-PM2 and PB-PM3 Physical Interface Cards (PICs)

Alert Type:

PSN - Product Support Notification

Product Affected:

PB-PM2, PB-PM3, S-DFC, S-MONITOR, S-COLLECTOR 

 

Alert Description:

The PB-PM2 and PB-PM3 Physical Interface Cards (PICs) will reach the End of Service (EOS) milestone date on June 30, 2015, when all support services are no longer available. The products reach End of Support five (5) years after the last order date. No support services contracts are available and the last contract will expire on the published EOS date.

 
Solution:
Please reference the Technical Bulletin TSB14970 for additional details regarding the entire EOS timeline for these products. Login to the CSC is required. Please visit the Juniper Networks Support End of Life page for specific product milestones and dates.

Junosphere

Cloud-based network testing, design, and training environment

A cloud-based service that allows networking professionals to perform network testing, design, and training exercises in a risk-free virtual environment using real network operating systems.

Overview

Junosphere Cloud is a virtual environment where users can create and run networks that use the Junos operating system. It reduces costs and limits risk by providing a lab where network implementations can be designed and modeled.

Virtual networks created in Junosphere can be used for training, network modeling, planning for new services, or examining “what-if” scenarios for the installed network. They can easily achieve a level of scale and accuracy not possible with alternative network simulation approaches.

Features

• SaaS Platform provides maximum uptime and availability.
• Efficient Scale enables larger networking resources for more accurate networks and topologies and reduced student-to-equipment ratio.
• Demand-Based Pricing allows purchase of Junosphere access based on time and network size.
• Real Operating System gives Junosphere users access to the same full-featured Junos OS running in thousands of commercial networks.
• Flexible Network Designs include a variety of options for network topology design, including importing configurations from a live network, a graphical design wizard, and text-based configurations.
• Flexibility and Agility allow virtual resources to be modified, ordered, and implemented much more quickly than physical networks.
• Interoperability and Integration enable virtual resources to interoperate with real-world networks.
• Complete Lab Ecosystem provides access to a variety of partner tools, in addition to Junos OS network elements.

Junos Dates & Milestones

The table below details important information relevant to each Junos release. The dates and milestones provided are in accordance with the policies at the time of each software release and are in accordance with stated End of Life/End of Support policies for Juniper Networks.

Product	FRS Date	End of Engineering	End of Support
Junos 14.21	11/05/2014	11/05/2017	05/05/2018
Junos 14.1X53	09/26/2014	12/31/2016	06/30/2017
Junos 14.11	06/13/2014	12/13/2017	06/13/2018
Junos 13.31	01/22/2014	01/22/2017	07/22/2017
Junos 13.2X52	07/06/2014	12/31/2015	06/30/2016
Junos 13.2X51	11/22/2013	12/31/2015	06/30/2016
Junos 13.2X50	06/28/2013	06/28/2014	12/28/2014
Junos 13.2	08/29/2013	08/29/2015	02/29/2016
Junos 13.1X50	07/25/2013	06/30/2015	12/30/2015
Junos 13.1	03/15/2013	03/15/2015	09/15/2015
Junos 12.3X544	07/18/2014	07/18/2016	01/18/2017
Junos 12.3X524	08/23/2013	08/23/2015	02/23/2016
Junos 12.3X514	03/15/2013	03/15/2015	09/15/2015
Junos 12.3X50	12/08/2012	01/31/2016	07/31/2016
Junos 12.3X481	03/06/2015	03/06/2018	09/06/2018
Junos 12.31	01/31/2013	01/31/2016	07/31/2016
Junos 12.2X50	07/05/2012	01/31/2015	07/31/2015
Junos 12.2	09/05/2012	09/05/2014	03/05/2015
Junos 12.1X49	04/19/2012	04/19/2014	10/19/2014
Junos 12.1X48	01/28/2013	12/30/2014	06/30/2015
Junos 12.1X472	08/18/2014	08/18/2016	02/18/2017
Junos 12.1X46123	12/30/2013	12/30/2016	06/30/2017
Junos 12.1X452	07/17/2013	07/17/2014	01/17/2015
Junos 12.1X4412	01/18/2013	01/18/2016	07/18/2016
Junos 12.1	03/28/2012	03/28/2014	09/28/2014
Junos 11.41	12/21/2011	12/21/2014	06/21/2015
Junos 11.3	08/15/2011	07/15/2012	03/15/2013
Junos 11.2	08/03/2011	06/15/2012	02/15/2013
Junos 11.1	03/29/2011	11/15/2011	05/15/2012
Junos 10.41	12/08/2010	12/08/2013	06/08/2014
Junos 10.3	08/15/2010	08/03/2011	12/21/2011
Junos 10.2	05/28/2010	05/15/2011	11/15/2011
Junos 10.1	02/15/2010	11/15/2010	05/15/2011
Junos 10.01	11/04/2009	11/15/2012	05/15/2013
Junos 9.6	08/06/2009	05/06/2010	11/06/2010
Junos 9.5	04/14/2009	02/15/2010	08/15/2010
Junos 9.4	02/11/2009	11/11/2009	05/11/2010
Junos 9.31	11/14/2008	11/15/2011	05/15/2012
Junos 9.2	08/12/2008	05/12/2009	11/12/2009
Junos 9.1	04/28/2008	01/28/2009	07/28/2009
Junos 9.0	02/15/2008	11/15/2008	05/15/2009
Junos 8.51	11/16/2007	11/16/2010	05/16/2011
Junos 8.4	08/09/2007	05/09/2008	11/09/2008
Junos 8.3	04/18/2007	01/18/2008	07/18/2008
Junos 8.2	02/15/2007	11/15/2007	05/15/2008
Junos 8.11	11/06/2006	11/06/2009	05/06/2010
Junos 8.0	08/15/2006	05/15/2007	11/15/2007
Junos 7.6	05/15/2006	02/15/2007	08/15/2007
Junos 7.5	02/08/2006	11/08/2006	05/08/2007
Junos 7.4	11/15/2005	08/15/2006	02/15/2007
Junos 7.3	08/16/2005	05/16/2006	11/16/2006
Junos 7.2	05/14/2005	02/14/2006	08/14/2006
Junos 7.1	02/14/2005	11/14/2005	05/14/2006
Junos 7.0	11/15/2004	08/15/2005	02/15/2006
Junos 6.4	08/12/2004	05/12/2005	11/12/2005
Junos 6.3	05/15/2004	02/15/2005	08/15/2005
Junos 6.2	02/15/2004	11/15/2004	05/15/2005
Junos 6.1	11/15/2003	08/15/2004	02/15/2005
Junos 6.0	08/15/2003	05/15/2004	11/15/2004
Junos 5.7	05/15/2003	02/15/2004	08/15/2004
Junos 5.6	02/15/2003	11/15/2003	05/15/2004
Junos 5.5	11/15/2002	08/15/2003	02/15/2004
Junos 5.4	08/12/2002	05/15/2003	11/15/2003
Junos 5.3	05/12/2002	02/15/2003	08/15/2003
Junos 5.2	02/12/2002	11/12/2002	05/15/2003
Junos 5.1	11/07/2001	08/12/2002	02/15/2003
Junos 5.0	08/17/2001	05/15/2002	11/15/2002
Junos 4.4	04/30/2001	02/12/2002	08/15/2002
Junos 4.3	01/31/2001	11/12/2001	05/15/2002
Junos 4.2	10/16/2000	08/13/2001	02/15/2002
Junos 4.1	08/15/2000	05/14/2001	11/15/2001
Junos 4.0	03/31/2000	02/12/2001	08/15/2001

Pre-12.1 Releases (other than EEOL Releases):
EOE date: The earlier of (i) the date eighteen (18) months from first general availability or (ii) two (2) subsequent releases of such software.
EOL/EOS date: The earlier of (i) the date twelve (12) months after the EOE date or (ii) two (2) subsequent releases of such software.
Release 12.1 and following (other than EEOL Releases):
EOE date: The date twenty four (24) months after the first general availability date.
EOL/EOS date: The date six (6) months after the EOE date.

JUNOS Boot from Backup Image – Recovery

Another quick aide-memoir describing the recovery of a corrupted JUNOS image – the EX3300 series LAN switch has booted from the backup image.
— JUNOS 11.4R5.5 built 2012-08-25 05:29:29 UTC
***********************************************************************
**                                                                   **
**  WARNING: THIS DEVICE HAS BOOTED FROM THE BACKUP JUNOS IMAGE      **
**                                                                   **
**  It is possible that the primary copy of JUNOS failed to boot up  **
**  properly, and so this device has booted from the backup copy.    **
**                                                                   **
**  Please re-install JUNOS to recover the primary copy in case      **
**  it has been corrupted.                                           **
**                                                                   **
***********************************************************************
darenm@coresw1# show version
## Last changed: 2015-02-13 10:50:43 UTC
version 11.4R5.5;
darenm@coresw1> exit
darenm@coresw1> show version
fpc0:
————————————————————————–
Hostname: coresw1
Model: ex3300-48p
JUNOS Base OS boot [11.4R5.5]
JUNOS Base OS Software Suite [11.4R5.5]
JUNOS Kernel Software Suite [11.4R5.5]
JUNOS Crypto Software Suite [11.4R5.5]
JUNOS Online Documentation [11.4R5.5]
JUNOS Enterprise Software Suite [11.4R5.5]
JUNOS Packet Forwarding Engine Enterprise Software Suite [11.4R5.5]
JUNOS Routing Software Suite [11.4R5.5]
JUNOS Web Management [11.4R5.5]
JUNOS FIPS mode utilities [11.4R5.5]
{master:0}
darenm@coresw1>
UPLOAD NEW IMAGE OF CORRECT VERSION:
darenm@coresw1> ping 10.15.52.74
PING 10.15.52.74 (10.15.52.74): 56 data bytes
64 bytes from 10.15.52.74: icmp_seq=0 ttl=122 time=201.971 ms
64 bytes from 10.15.52.74: icmp_seq=1 ttl=122 time=201.505 ms
^C
— 10.15.52.74 ping statistics —
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 201.505/201.738/201.971/0.233 ms
request system software add ftp://dst:dst@10.15.52.74/jinstall-ex-3300-12.3R3.4-domestic-signed.tgz
darenm@coresw1> …ex-3300-12.3R3.4-domestic-signed.tgz
Checking pending install on fpc0
Fetching package…
Validating on fpc0
Done with validate on all virtual chassis members
fpc0:
WARNING: A reboot is required to install the software
WARNING:     Use the ‘request system reboot’ command immediately
{master:0}
darenm@coresw1>
darenm@coresw1> request system reboot
Reboot the system ? [yes,no] (no) yes
Shutdown NOW!
[pid 1270]
{master:0}
darenm@coresw1>
*** FINAL System shutdown message from darenm@coresw1 ***
System going down IMMEDIATELY
NOW VERIFY:
darenm@coresw1> show chassis routing-engine
Routing Engine status:
Slot 0:
Current state                  Master
Temperature                 34 degrees C / 93 degrees F
CPU temperature             34 degrees C / 93 degrees F
DRAM                      1024
Memory utilization          37 percent
CPU utilization:
User                       1 percent
Background                 0 percent
Kernel                     0 percent
Interrupt                  0 percent
Idle                      99 percent
Model                          EX3300 48-Port POE+
Serial ID                      GB0212528309
Start time                     2015-02-13 11:43:31 UTC
Uptime                         7 minutes, 59 seconds
Last reboot reason             Router rebooted after a normal shutdown.
Load averages:                 1 minute   5 minute  15 minute
0.13       0.72       0.46
{master:0}
darenm@coresw1>
darenm@coresw1> show version
fpc0:
————————————————————————–
Hostname: coresw1
Model: ex3300-48p
JUNOS Base OS boot [12.3R3.4]
JUNOS Base OS Software Suite [12.3R3.4]
JUNOS Kernel Software Suite [12.3R3.4]
JUNOS Crypto Software Suite [12.3R3.4]
JUNOS Online Documentation [12.3R3.4]
JUNOS Enterprise Software Suite [12.3R3.4]
JUNOS Packet Forwarding Engine Enterprise Software Suite [12.3R3.4]
JUNOS Routing Software Suite [12.3R3.4]
JUNOS Web Management [12.3R3.4]
JUNOS FIPS mode utilities [12.3R3.4]
{master:0}
darenm@coresw1>
darenm@coresw1> show system storage partitions
fpc0:
————————————————————————–
Boot Media: internal (da0)
Active Partition: da0s2a <========== ** THIS IS THE ACTIVE SLICE **
Backup Partition: da0s1a
Currently booted from: active (da0s2a) <========== ** THIS IS THE ACTIVE SLICE **
Partitions information:
Partition  Size   Mountpoint
s1a        183M   altroot
s2a        184M   /
s3d        369M   /var/tmp
s3e        123M   /var
s4d        62M    /config
{master:0}
darenm@coresw1>
PROBLEM: LOWER VERSION ON (CURRENT) BACKUP PARTITION:
darenm@coresw1> show system snapshot media internal
fpc0:
————————————————————————–
Information for snapshot on       internal (/dev/da0s1a) (backup)
Creation date: Aug 25 10:00:09 2012
JUNOS version on snapshot:
jbase  : ex-11.4R5.5
jkernel-ex-3300: 11.4R5.5
jweb-ex: 11.4R5.5
jcrypto-ex: 11.4R5.5
jdocs-ex: 11.4R5.5
jswitch-ex: 11.4R5.5
jpfe-ex33x: 11.4R5.5
jroute-ex: 11.4R5.5
fips-mode-arm: 11.4R5.5
Information for snapshot on       internal (/dev/da0s2a) (primary)
Creation date: Feb 13 11:42:23 2015
JUNOS version on snapshot:
jbase  : ex-12.3R3.4
jkernel-ex-3300: 12.3R3.4
jweb-ex: 12.3R3.4
jcrypto-ex: 12.3R3.4
jdocs-ex: 12.3R3.4
jswitch-ex: 12.3R3.4
jpfe-ex33x: 12.3R3.4
jroute-ex: 12.3R3.4
fips-mode-arm: 12.3R3.4
{master:0}
darenm@coresw1>
darenm@coresw1> show virtual-chassis status
Preprovisioned Virtual Chassis
Virtual Chassis ID: b9fc.2725.cccf
Virtual Chassis Mode: Enabled
Mstr           Mixed Neighbor List
Member ID  Status   Serial No    Model     prio  Role      Mode ID  Interface
0 (FPC 0)  Prsnt    GB0212528309 ex3300-48p 129  Master*     NA  1  vcp-255/1/2
1  vcp-255/1/3
1 (FPC 1)  Prsnt    GB0212528262 ex3300-48p 129  Backup      NA  0  vcp-255/1/2
0  vcp-255/1/3
{master:0}
darenm@coresw1>
darenm@coresw1> show virtual-chassis vc-port
fpc0:
————————————————————————–
Interface   Type              Trunk  Status       Speed        Neighbor
or                             ID                 (mbps)       ID  Interface
PIC / Port
1/2         Configured          5    Up           10000        1   vcp-255/1/2
1/3         Configured          5    Up           10000        1   vcp-255/1/3
fpc1:
————————————————————————–
Interface   Type              Trunk  Status       Speed        Neighbor
or                             ID                 (mbps)       ID  Interface
PIC / Port
1/2         Configured          5    Up           10000        0   vcp-255/1/2
1/3         Configured          5    Up           10000        0   vcp-255/1/3
{master:0}
darenm@coresw1>
COPY IMAGE FROM PRIMARY TO BACKUP:
darenm@coresw1> request system snapshot slice alternate
fpc0:
———————————————————————-
Formatting alternate root (/dev/da0s1a)…
Copying ‘/dev/da0s2a’ to ‘/dev/da0s1a’ .. (this may take a few minutes)
The following filesystems were archived: /
fpc1:
————————————————————————–
Formatting alternate root (/dev/da0s1a)…
Copying ‘/dev/da0s2a’ to ‘/dev/da0s1a’ .. (this may take a few minutes)
The following filesystems were archived: /
{master:1}
darenm@coresw1>
VERIFY:
darenm@sajoncoresw1> show system snapshot media internal
fpc0:
———————————————————————-                             —-
Information for snapshot on       internal (/dev/da0s1a) (backup)
Creation date: Mar 3 12:04:17 2015
JUNOS version on snapshot:
jbase  : ex-12.3R3.4
jkernel-ex-3300: 12.3R3.4
jweb-ex: 12.3R3.4
jcrypto-ex: 12.3R3.4
jdocs-ex: 12.3R3.4
jswitch-ex: 12.3R3.4
jpfe-ex33x: 12.3R3.4
jroute-ex: 12.3R3.4
fips-mode-arm: 12.3R3.4
Information for snapshot on       internal (/dev/da0s2a) (primary)
Creation date: Feb 13 11:42:23 2015
JUNOS version on snapshot:
jbase  : ex-12.3R3.4
jkernel-ex-3300: 12.3R3.4
jweb-ex: 12.3R3.4
jcrypto-ex: 12.3R3.4
jdocs-ex: 12.3R3.4
jswitch-ex: 12.3R3.4
jpfe-ex33x: 12.3R3.4
jroute-ex: 12.3R3.4
fips-mode-arm: 12.3R3.4
fpc1:
————————————————————————–
Information for snapshot on       internal (/dev/da0s1a) (backup)
Creation date: Mar 3 12:09:49 2015
JUNOS version on snapshot:
jbase  : ex-12.3R3.4
jkernel-ex-3300: 12.3R3.4
jweb-ex: 12.3R3.4
jcrypto-ex: 12.3R3.4
jdocs-ex: 12.3R3.4
jswitch-ex: 12.3R3.4
jpfe-ex33x: 12.3R3.4
jroute-ex: 12.3R3.4
fips-mode-arm: 12.3R3.4
Information for snapshot on       internal (/dev/da0s2a) (primary)
Creation date: Jun 14 03:12:32 2013
JUNOS version on snapshot:
jbase  : ex-12.3R3.4
jkernel-ex-3300: 12.3R3.4
jweb-ex: 12.3R3.4
jcrypto-ex: 12.3R3.4
jdocs-ex: 12.3R3.4
jswitch-ex: 12.3R3.4
jpfe-ex33x: 12.3R3.4
jroute-ex: 12.3R3.4
fips-mode-arm: 12.3R3.4
{master:1}
darenm@sajoncoresw1>

Patch Assessment Support - Software Deprecation

Patch Assessment Support using Shavlik offered via Juniper will be deprecated

ending June 2015and PatchAssessment data file will not be updated. 

 

Junos Pulse Connect Secure and Junos Pulse Policy Secure ( UAC 5.1/SA 8.1) formerly

known as Junos Pulse Secure Access Service and Junos Pulse Access Control Service

respectively will not contain Patch Assessment via Shavlik. However, there will be a means of device postureassessment for patches via OPSWAT.

 

The OPSWAT solution will not be identical in experience or functionality owing to differences in technology but will provide for essential assessment capabilities addressing critical needsfor our customers.

 

In addition Junos Pulse Secure Access Service 8.0 and below and Junos Pulse Access ControlService 5.0 and below will lose the ability to carry out Patch Assessment for patches available after June 2015 dueto Patch Assessment data file will not being updated.

 

Patch Assessment functionality via Shavlik will be deprecated starting SA 8.1/ UAC 5.1 /Junos Pulse 5.1. At thattime, Patch Assessment will be provided through other means utilizing capabilities from OPSWAT. 

 

If you are currently utilizing Shavlik for Patch Assessment, you will continue to have sup

port thru June 2015, afterwhich, data file updates will no longer be provided. Customers looking to have continued Patch Assessmentcapability throughPulse SecureSA/UAC

productsbeyondJune2015 will have to migrate to OPSWAT based PatchAssessment.

 

Inorder to ensure a smooth transition,OPSWAT based Patch Assessment is available in 8.0R10and will co-existwith Shavlik Patch Assessment. 

 

In the SA 8.1 / UAC 5.1 release train, we only have OPSWAT based assessment.

Customers can leverage the coexist functionality of both methods in the same release to ensure smooth PatchAssessment policy migration and functionality from Shavlik to OPSWAT.

 

Junos Pulse Secure Access Service 8.0 and below and Junos Pulse Access Control Service 5.0 and below will also losethe ability to carry out Patch Assessment for patches available after June 2015 due to Patch Assessment data file will not being updated.

Maintenance release after June 2015 for Junos Pulse Secure Access Service 8.0 and Junos Pulse Access ControlService 5.0 will deprecate the feature of Patch Assessment Support using Shavlik.

Juniper :SDN Strategies

Juniper’s SDN strategy isn’t built on OpenFlow, but rather uses a uses a mix of its network management software (Junos Space) and the Contrail network overlay controller that it acquired in late 2012 and open sourced last fall.

Its overlay approach is similar to VMware’s NSX and other virtual networks that are built using tunneling protocols over TCP/IP.

Like Arista, Juniper touts the programmability of its hardware, specifically the MX edge routers and EX and QFX series switches, with open APIs providing the means to automate network management, configuration, and control.

By open sourcing Contrail, it appears Juniper would rather focus on providing application-layer network services and orchestration for its legacy switching fabrics than centralized physical layer flow control.

SRX Series: ISC BIND vulnerability denial of service in delegation handling (CVE-2014-8500)

ISC BIND software included with Junos for SRX series devices is affected by CVE-2014-8500. This may allow a network based attacker to cause a denial of service condition on SRX devices.
This issue only affects SRX devices where "set system services dns dns-proxy" has been configured. This is not enabled by default on SRX devices.
This issue does not affect other Junos OS based devices as they do not have BIND DNS server feature.
Juniper SIRT is not aware of any malicious exploitation of this vulnerability.
This issue has been assigned CVE-2014-8500.

Solution:

The following software releases have been updated to resolve this specific issue: Junos OS 12.1X44-D50 (pending release) 12.1X46-D35 (pending release) 12.1X47-D25 (pending release) 12.3X48-D10 and all subsequent releases.

This issue is being tracked as PR 1048628 and is visible on the Customer Support website.

KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies.

Workaround:

There are no known workarounds.

Implementation:

How to obtain fixed software: Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request.

Junos PR search tool

The PR (Problem Report) Search tool allows you to do a variety of searches across Juniper Network's external bug content on the web. Currently, this application is fully supported for products which run the Junos OS. Junos OS runs on all Juniper Networks M Series, MX Series, and T Series routing platforms, SRX Series Services Gateways, J Series Services Routers, and the EX Series Ethernet Switches.

Cache Error on SRX5K SPC II causes flowd process core

Product Affected:

SRX5400/5600/5800 using SPC II (SRX5K-SPC-4-15-320) and running with Junos OS :

• 12.1X44-D10/D15/D20/D25/D30/D35
• 12.1X45-D10/D15/D20/D25/D30
• 12.1X46-D10/D15/D20
• 12.1X47-D10

Alert Description:

A cache error exception could happen randomly in rare conditions on SRX5K SPC II (Services Processing Card, SRX5K-SPC-4-15-320) when the SPC is referring to an invalid physical address in memory, which triggers flowd process core and all SPCs restart on the local node. If the chassis cluster feature is enabled, the data plane will fail over to the other node.

For example, the following output will be shown when this issue happens.

root@SRX5K> show system core-dumps

-rw-rw----  1 nobody wheel 941023387 May 12 23:45 /var/tmp/flowd_xlr-SPC7_PIC3.core.0.gz

root@SRX5K> show log messages
...
May 12 23:43:31   (FPC Slot 7, PIC Slot 3) SPC7_PIC3 kernel: %USER-3: cpuid = 26
May 12 23:43:31   (FPC Slot 7, PIC Slot 3) SPC7_PIC3 kernel: %USER-3-ADDRESS_ERR: pid 251 (flowd_xlr), uid 0: pc 0xffffffff802927e0 got a read fault at 0xffffffff802927e0
May 12 23:43:31   (FPC Slot 7, PIC Slot 3) SPC7_PIC3 kernel: %USER-3: Trapframe Register Dump:
May 12 23:43:31   (FPC Slot 7, PIC Slot 3) SPC7_PIC3 kernel: %USER-3: zero: 0000000000000000  at: fffffffffffffdff  v0: 0000000000000001  v1: 00000001c9322248
May 12 23:43:31   (FPC Slot 7, PIC Slot 3) SPC7_PIC3 kernel: %USER-3: a0: ffffffff80a00406  a1: 00000000200f09fc  a2: 0000000000000000  a3: 00000000243ab1b8
May 12 23:43:31   (FPC Slot 7, PIC Slot 3) SPC7_PIC3 kernel: %USER-3: t0: 0000000000009e63  t1: 00000001eb0e4a50  t2: 00000002dab903c0  t3: 00000002dab90390
May 12 23:43:31   (FPC Slot 7, PIC Slot 3) SPC7_PIC3 kernel: %USER-3: ta0: ffffffffd1ebbad8 ta1: 0000000000000000 ta2: 0000000000000000 ta3: 0000000000000000
May 12 23:43:31   (FPC Slot 7, PIC Slot 3) SPC7_PIC3 kernel: %USER-3: t8: 000000000000003a  t9: 0000000020105650  s0: 000000000000001a  s1: 00000000243ab288
May 12 23:43:31   (FPC Slot 7, PIC Slot 3) SPC7_PIC3 kernel: %USER-3: s2: 00000000243ab1b8  s3: 00000000243ab1b8  s4: 000000000000001a  s5: 00000000241d0000
May 12 23:43:31   (FPC Slot 7, PIC Slot 3) SPC7_PIC3 kernel: %USER-3: s6: 0000000021950000  s7: 00000001c9321e88  k0: 0000000000000000  k1: 0000000000000000
May 12 23:43:31   (FPC Slot 7, PIC Slot 3) SPC7_PIC3 kernel: %USER-3: gp: 0000000000000000  sp: 0000000fdd5eaea0  s8: 000000000000001a  ra: 00000000200f0bc8
May 12 23:43:31   (FPC Slot 7, PIC Slot 3) SPC7_PIC3 kernel: %USER-3: sr: 00000000508198f3 mullo: 0000000000000000    mulhi: 0000000000000000
May 12 23:43:31   (FPC Slot 7, PIC Slot 3) SPC7_PIC3 kernel: %USER-3: pc: ffffffff802927e0 cause: 0000000000000010 badvaddr: ffffffff802927e0
May 12 23:43:31   (FPC Slot 7, PIC Slot 3) SPC7_PIC3 kernel: %USER-3: pc address 0xffffffff802927e0 is inaccessible, pte = 0x0
May 12 23:43:31   (FPC Slot 7, PIC Slot 3) SPC7_PIC3 kernel: %USER-2: flowd core, 
May 12 23:43:31   fpc7 Cowra: %PFE-3: XLP3 flowd_xlr core dump, current state SPU_STATE_WORKING. 
May 12 23:43:31   fpc7 flowd_xlr coredump start, ecc regs: %PFE-3: 0,0,0,0 
May 12 23:43:31   (FPC Slot 7, PIC Slot 3) SPC7_PIC3 kernel: %USER-2: stop xaui rx and drain packets on lbt cpu 4
May 12 23:43:31   (FPC Slot 7, PIC Slot 3) SPC7_PIC3 kernel: %USER-2: msgring_drain_process: bind thread to hwtid (4) cpuid(4)
May 12 23:43:31   (FPC Slot 7, PIC Slot 3) SPC7_PIC3 kernel: %USER-2: [msgring
May 12 23:43:31   (FPC Slot 7, PIC Slot 3) SPC7_PIC3 kernel: %USER-2: _drain_process]476 msges drained
May 12 23:43:31   (FPC Slot 7, PIC Slot 3) SPC7_PIC3 kernel: %USER-2: Kernel thread "msgdrainthr4" (pid 41228) exited prematurely.
May 12 23:43:32   fpc7 Cowra: %PFE-3: XLP3 flowd_xlr down, current state SPU_STATE_CRASH. info: Flowd down, flowd_xlr_statusfound flowd in coredump.  
May 12 23:43:32   (FPC Slot 7, PIC Slot 3) SPC7_PIC3 kernel: %USER-3: spu_cobar_send_mail_unlocked: New mail (6) tried 2 times to be sent, finally sent
May 12 23:45:05   /kernel: %KERN-4: peer_inputs:4300 VKS0 closing connection peer type 10 indx 31 err 0
May 12 23:45:05   /kernel: %KERN-3: pfe_send_failed(index 31, type 10), err=32
May 12 23:45:05   (FPC Slot 7, PIC Slot 3) SPC7_PIC3 kernel: %USER-4: peer_inputs:4300 VKS0 closing connection peer type 10 indx 31 err 0
May 12 23:45:05   (FPC Slot 7, PIC Slot 3) SPC7_PIC3 kernel: %USER-3: pfe_send_failed(index 31, type 10), err=32
May 12 23:45:10   /kernel: %KERN-3: ###rdp_usr_detach tcb NULL socket 0xc6a824d4
May 12 23:45:15   fpc7 Cowra: %PFE-3: XLP3 flowd_xlr down complete. 
May 12 23:45:15   (FPC Slot 7, PIC Slot 3) SPC7_PIC3 init: %AUTH-6: flowd_xlr (PID 173) exited with status=0 Normal Exit
May 12 23:45:16   chassisd[1506]: %DAEMON-5-CHASSISD_IFDEV_DETACH_PIC: ifdev_detach_pic(7/3)
May 12 23:45:16   chassisd[1506]: %DAEMON-5-CHASSISD_SNMP_TRAP7: SNMP trap generated: Fru Failed (jnxFruContentsIndex 7, jnxFruL1Index 8, jnxFruL2Index 0, jnxFruL3Index 0, jnxFruName FPC: SRX5k SPC II @ 7/*/*, jnxFruType 3, jnxFruSlot 7)
May 12 23:45:16   alarmd[975]: %DAEMON-4: Alarm set: PIC color=RED, class=CHASSIS, reason=FPC 7 PIC 3 SPU flowd core dump complete
May 12 23:45:16   chassisd[1506]: %DAEMON-5-CHASSISD_PIC_OFFLINE_NOTICE: Taking PIC 3 in FPC 7 offline: SPU flowd core dump complete
May 12 23:45:16   craftd[976]: %DAEMON-4:  Major alarm set, FPC 7 PIC 3 SPU flowd core dump complete
May 12 23:45:16   chassisd[1506]: %DAEMON-5-CHASSISD_FRU_OFFLINE_NOTICE: Taking FPC 7 offline: Reset on SPC/SPU failure
May 12 23:45:16   chassisd[1506]: %DAEMON-5-CHASSISD_IFDEV_DETACH_FPC: ifdev_detach_fpc(7)
May 12 23:45:16   chassisd[1506]: %DAEMON-5-CHASSISD_FRU_OFFLINE_NOTICE: Taking FPC 0 offline: Reset on SPC/SPU failure
May 12 23:45:16   chassisd[1506]: %DAEMON-5-CHASSISD_IFDEV_DETACH_FPC: ifdev_detach_fpc(0)
....

1. SPU kernel detected user space address error - %USER-3-ADDRESS_ERR: pid 251 (flowd_xlr), uid 0: pc 0xffffffff802927e0 got a read fault at 0xffffffff802927e0
2. SPU kernel started to generate flowd core - %USER-2: flowd core`) after collecting registry values
3. Chassisd detached affected SPC - %DAEMON-5-CHASSISD_IFDEV_DETACH_PIC: ifdev_detach_pic(7/3)
4. Chassisd offlined affected SPC due to SPU flowd core dump - %DAEMON-5-CHASSISD_PIC_OFFLINE_NOTICE: Taking PIC 3 in FPC 7 offline: SPU flowd core dump complete
5. Chassisd reset all SPCs - %DAEMON-5-CHASSISD_FRU_OFFLINE_NOTICE: Taking FPC 0 offline: Reset on SPC/SPU failure

This issue can be tracked via PR1005195.

Solution:
This issue is fixed in Junos OS 12.1X44-D40, 12.1X46-D25, 12.1X47-D15 and higher versions.

NOTE: There is no known way to monitor the system status before the flowd core due to cache error and there is no known workaround available. If the system reports a flowd core, please open a "Technical Service Request" on the Case Manager.