The issue only affects routers utilizing Trio-based PFE modules running Junos OS 13.3R3, 14.1R1, and 14.1R2
When configuring a stateless firewall filter on a system with Trio-based
PFE modules (e.g. MX Series), any source or destination port matching
condition may fail to match intended packets, causing the filter to not
execute the actions specified in the 'then' clause. Depending on
the intent and design of the interface filter, this match failure may
have unexpected impact on the router or follow-on filter clauses. For
example, if traffic with a specific destination port was designed to be
accepted, a later "reject all" clause may inadvertently discard wanted
traffic. Conversely, if certain destination ports are meant to be
dropped, malicious traffic may be consumed by the RE or forwarded on to
downstream routers.
This issue only affects routers running
Junos OS 13.3R3, 14.1R1, and 14.1R2. Additionally, this issue only
affects IPv4 traffic. IPv6 port matching filters are unaffected by this
issue.
Juniper SIRT is not aware of any malicious exploitation of this vulnerability.
No other Juniper Networks products or platforms are affected by this issue.
The following software releases have been updated to resolve this
specific issue: Junos OS 13.3R3-S3, 13.3R4, 14.1R3, 14.2R1, and all
subsequent releases.
This issue is being tracked as PR 1003494 and is visible on the Customer Support website.
Note: While
the vulnerability does not impact versions of Junos prior to 13.3R3,
the actual code modified to resolve the issue existed in earlier
releases. For this reason, the prsearch tool will report fixes in Junos
OS 12.3R8 and 13.2R6, even though the vulnerability was never exposed
in these releases.
KB16765 - "In which releases are
vulnerabilities fixed?" describes which release vulnerabilities are
fixed as per our End of Engineering and End of Life support policies.
No comments:
Post a Comment