Vulnerability-Lookup

GHSA-M8QM-RFM2-9PJV

Vulnerability from github – Published: 2022-05-24 17:48 – Updated: 2022-05-24 17:48

Details

Due to a vulnerability in DDoS protection in Juniper Networks Junos OS and Junos OS Evolved on QFX5K Series switches in a VXLAN configuration, instability might be experienced in the underlay network as a consequence of exceeding the default ddos-protection aggregate threshold. If an attacker on a client device on the overlay network sends a high volume of specific, legitimate traffic in the overlay network, due to an improperly detected DDoS violation, the leaf might not process certain L2 traffic, sent by spines in the underlay network. Continued receipt and processing of the high volume traffic will sustain the Denial of Service (DoS) condition. This issue affects: Juniper Networks Junos OS on QFX5K Series: 17.3 versions prior to 17.3R3-S11; 17.4 versions prior to 17.4R3-S5; 18.1 versions prior to 18.1R3-S13; 18.2 versions prior to 18.2R2-S8, 18.2R3-S8; 18.3 versions prior to 18.3R3-S5; 18.4 versions prior to 18.4R1-S8, 18.4R2-S6, 18.4R3-S6; 19.1 versions prior to 19.1R3-S4; 19.2 versions prior to 19.2R1-S6, 19.2R3-S2; 19.3 versions prior to 19.3R3-S2; 19.4 versions prior to 19.4R2-S4, 19.4R3-S1; 20.1 versions prior to 20.1R2; 20.2 versions prior to 20.2R2; 20.3 versions prior to 20.3R1-S2, 20.3R2. Juniper Networks Junos OS Evolved on QFX5220: All versions prior to 20.3R2-EVO.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2021-0259"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-755"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-04-22T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "Due to a vulnerability in DDoS protection in Juniper Networks Junos OS and Junos OS Evolved on QFX5K Series switches in a VXLAN configuration, instability might be experienced in the underlay network as a consequence of exceeding the default ddos-protection aggregate threshold. If an attacker on a client device on the overlay network sends a high volume of specific, legitimate traffic in the overlay network, due to an improperly detected DDoS violation, the leaf might not process certain L2 traffic, sent by spines in the underlay network. Continued receipt and processing of the high volume traffic will sustain the Denial of Service (DoS) condition. This issue affects: Juniper Networks Junos OS on QFX5K Series: 17.3 versions prior to 17.3R3-S11; 17.4 versions prior to 17.4R3-S5; 18.1 versions prior to 18.1R3-S13; 18.2 versions prior to 18.2R2-S8, 18.2R3-S8; 18.3 versions prior to 18.3R3-S5; 18.4 versions prior to 18.4R1-S8, 18.4R2-S6, 18.4R3-S6; 19.1 versions prior to 19.1R3-S4; 19.2 versions prior to 19.2R1-S6, 19.2R3-S2; 19.3 versions prior to 19.3R3-S2; 19.4 versions prior to 19.4R2-S4, 19.4R3-S1; 20.1 versions prior to 20.1R2; 20.2 versions prior to 20.2R2; 20.3 versions prior to 20.3R1-S2, 20.3R2. Juniper Networks Junos OS Evolved on QFX5220: All versions prior to 20.3R2-EVO.",
  "id": "GHSA-m8qm-rfm2-9pjv",
  "modified": "2022-05-24T17:48:14Z",
  "published": "2022-05-24T17:48:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0259"
    },
    {
      "type": "WEB",
      "url": "https://kb.juniper.net/JSA11150"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

CVE-2021-0259 (GCVE-0-2021-0259)

Vulnerability from cvelistv5 – Published: 2021-04-22 19:37 – Updated: 2024-09-16 17:48

Title

Junos OS and Junos OS Evolved: QFX5K Series: Underlay network traffic might not be processed upon receipt of high rate of specific genuine overlay packets in VXLAN scenario

Summary

Severity ?

7.4 (High)


                        
                          CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CWE

CWE-755 - Improper Handling of Exceptional Conditions
Denial of Service (DoS)

Assigner

juniper

References

URL

Tags

https://kb.juniper.net/JSA11150

x_refsource_MISC

Impacted products

Vendor

Product

Version

Juniper Networks

Junos OS

Affected: 17.3 , < 17.3R3-S11 (custom)
Affected: 17.4 , < 17.4R3-S5 (custom)
Affected: 18.1 , < 18.1R3-S13 (custom)
Affected: 18.2 , < 18.2R2-S8, 18.2R3-S8 (custom)
Affected: 18.3 , < 18.3R3-S5 (custom)
Affected: 18.4 , < 18.4R1-S8, 18.4R2-S6, 18.4R3-S6 (custom)
Affected: 19.1 , < 19.1R3-S4 (custom)
Affected: 19.2 , < 19.2R1-S6, 19.2R3-S2 (custom)
Affected: 19.3 , < 19.3R3-S2 (custom)
Affected: 19.4 , < 19.4R2-S4, 19.4R3-S1 (custom)
Affected: 20.1 , < 20.1R2 (custom)
Affected: 20.2 , < 20.2R2 (custom)
Affected: 20.3 , < 20.3R1-S2, 20.3R2 (custom)

Juniper Networks

Junos OS Evolved

Affected: unspecified , < 20.3R2-EVO (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T15:32:10.668Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://kb.juniper.net/JSA11150"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "QFX5K Series"
          ],
          "product": "Junos OS",
          "vendor": "Juniper Networks",
          "versions": [
            {
              "lessThan": "17.3R3-S11",
              "status": "affected",
              "version": "17.3",
              "versionType": "custom"
            },
            {
              "lessThan": "17.4R3-S5",
              "status": "affected",
              "version": "17.4",
              "versionType": "custom"
            },
            {
              "lessThan": "18.1R3-S13",
              "status": "affected",
              "version": "18.1",
              "versionType": "custom"
            },
            {
              "lessThan": "18.2R2-S8, 18.2R3-S8",
              "status": "affected",
              "version": "18.2",
              "versionType": "custom"
            },
            {
              "lessThan": "18.3R3-S5",
              "status": "affected",
              "version": "18.3",
              "versionType": "custom"
            },
            {
              "lessThan": "18.4R1-S8, 18.4R2-S6, 18.4R3-S6",
              "status": "affected",
              "version": "18.4",
              "versionType": "custom"
            },
            {
              "lessThan": "19.1R3-S4",
              "status": "affected",
              "version": "19.1",
              "versionType": "custom"
            },
            {
              "lessThan": "19.2R1-S6, 19.2R3-S2",
              "status": "affected",
              "version": "19.2",
              "versionType": "custom"
            },
            {
              "lessThan": "19.3R3-S2",
              "status": "affected",
              "version": "19.3",
              "versionType": "custom"
            },
            {
              "lessThan": "19.4R2-S4, 19.4R3-S1",
              "status": "affected",
              "version": "19.4",
              "versionType": "custom"
            },
            {
              "lessThan": "20.1R2",
              "status": "affected",
              "version": "20.1",
              "versionType": "custom"
            },
            {
              "lessThan": "20.2R2",
              "status": "affected",
              "version": "20.2",
              "versionType": "custom"
            },
            {
              "lessThan": "20.3R1-S2, 20.3R2",
              "status": "affected",
              "version": "20.3",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "QFX5220"
          ],
          "product": "Junos OS Evolved",
          "vendor": "Juniper Networks",
          "versions": [
            {
              "lessThan": "20.3R2-EVO",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "value": "An example of a configuration affected by this issue is shown below:\n\n  routing-instance evpn10 {\n     vtep-source-interface lo0.0;\n     instance-type evpn;\n     vlan-id 10;\n     interface xe-0/0/2.10;\n     vxlan {\n        vni 10;\n     }\n     route-distinguisher 10.255.181.13:10;\n     vrf-target target:10:10;\n     protocols {\n        evpn;\n     }\n  }"
        }
      ],
      "datePublic": "2021-04-14T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Due to a vulnerability in DDoS protection in Juniper Networks Junos OS and Junos OS Evolved on QFX5K Series switches in a VXLAN configuration, instability might be experienced in the underlay network as a consequence of exceeding the default ddos-protection aggregate threshold. If an attacker on a client device on the overlay network sends a high volume of specific, legitimate traffic in the overlay network, due to an improperly detected DDoS violation, the leaf might not process certain L2 traffic, sent by spines in the underlay network. Continued receipt and processing of the high volume traffic will sustain the Denial of Service (DoS) condition. This issue affects: Juniper Networks Junos OS on QFX5K Series: 17.3 versions prior to 17.3R3-S11; 17.4 versions prior to 17.4R3-S5; 18.1 versions prior to 18.1R3-S13; 18.2 versions prior to 18.2R2-S8, 18.2R3-S8; 18.3 versions prior to 18.3R3-S5; 18.4 versions prior to 18.4R1-S8, 18.4R2-S6, 18.4R3-S6; 19.1 versions prior to 19.1R3-S4; 19.2 versions prior to 19.2R1-S6, 19.2R3-S2; 19.3 versions prior to 19.3R3-S2; 19.4 versions prior to 19.4R2-S4, 19.4R3-S1; 20.1 versions prior to 20.1R2; 20.2 versions prior to 20.2R2; 20.3 versions prior to 20.3R1-S2, 20.3R2. Juniper Networks Junos OS Evolved on QFX5220: All versions prior to 20.3R2-EVO."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-755",
              "description": "CWE-755 Improper Handling of Exceptional Conditions",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "description": "Denial of Service (DoS)",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-04-22T19:37:18",
        "orgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
        "shortName": "juniper"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://kb.juniper.net/JSA11150"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "The following software releases have been updated to resolve this specific issue:\n\nJunos OS: 17.3R3-S11, 17.4R3-S5, 18.1R3-S13, 18.2R2-S8, 18.2R3-S8, 18.3R3-S5, 18.4R1-S8, 18.4R2-S6, 18.4R3-S6, 19.1R3-S4, 19.2R1-S6, 19.2R3-S2, 19.3R3-S2, 19.4R2-S4, 19.4R3-S1, 20.1R2, 20.2R2, 20.3R1-S2, 20.3R2, 20.4R1, and all subsequent releases.\n\nJunos OS Evolved: 20.3R2-EVO, 20.4R1-EVO, and all subsequent releases."
        }
      ],
      "source": {
        "advisory": "JSA11150",
        "defect": [
          "1499681"
        ],
        "discovery": "USER"
      },
      "title": "Junos OS and Junos OS Evolved: QFX5K Series: Underlay network traffic might not be processed upon receipt of high rate of specific genuine overlay packets in VXLAN scenario",
      "workarounds": [
        {
          "lang": "en",
          "value": "There are no available workarounds for this issue."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "sirt@juniper.net",
          "DATE_PUBLIC": "2021-04-14T16:00:00.000Z",
          "ID": "CVE-2021-0259",
          "STATE": "PUBLIC",
          "TITLE": "Junos OS and Junos OS Evolved: QFX5K Series: Underlay network traffic might not be processed upon receipt of high rate of specific genuine overlay packets in VXLAN scenario"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Junos OS",
                      "version": {
                        "version_data": [
                          {
                            "platform": "QFX5K Series",
                            "version_affected": "\u003c",
                            "version_name": "17.3",
                            "version_value": "17.3R3-S11"
                          },
                          {
                            "platform": "QFX5K Series",
                            "version_affected": "\u003c",
                            "version_name": "17.4",
                            "version_value": "17.4R3-S5"
                          },
                          {
                            "platform": "QFX5K Series",
                            "version_affected": "\u003c",
                            "version_name": "18.1",
                            "version_value": "18.1R3-S13"
                          },
                          {
                            "platform": "QFX5K Series",
                            "version_affected": "\u003c",
                            "version_name": "18.2",
                            "version_value": "18.2R2-S8, 18.2R3-S8"
                          },
                          {
                            "platform": "QFX5K Series",
                            "version_affected": "\u003c",
                            "version_name": "18.3",
                            "version_value": "18.3R3-S5"
                          },
                          {
                            "platform": "QFX5K Series",
                            "version_affected": "\u003c",
                            "version_name": "18.4",
                            "version_value": "18.4R1-S8, 18.4R2-S6, 18.4R3-S6"
                          },
                          {
                            "platform": "QFX5K Series",
                            "version_affected": "\u003c",
                            "version_name": "19.1",
                            "version_value": "19.1R3-S4"
                          },
                          {
                            "platform": "QFX5K Series",
                            "version_affected": "\u003c",
                            "version_name": "19.2",
                            "version_value": "19.2R1-S6, 19.2R3-S2"
                          },
                          {
                            "platform": "QFX5K Series",
                            "version_affected": "\u003c",
                            "version_name": "19.3",
                            "version_value": "19.3R3-S2"
                          },
                          {
                            "platform": "QFX5K Series",
                            "version_affected": "\u003c",
                            "version_name": "19.4",
                            "version_value": "19.4R2-S4, 19.4R3-S1"
                          },
                          {
                            "platform": "QFX5K Series",
                            "version_affected": "\u003c",
                            "version_name": "20.1",
                            "version_value": "20.1R2"
                          },
                          {
                            "platform": "QFX5K Series",
                            "version_affected": "\u003c",
                            "version_name": "20.2",
                            "version_value": "20.2R2"
                          },
                          {
                            "platform": "QFX5K Series",
                            "version_affected": "\u003c",
                            "version_name": "20.3",
                            "version_value": "20.3R1-S2, 20.3R2"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Junos OS Evolved",
                      "version": {
                        "version_data": [
                          {
                            "platform": "QFX5220",
                            "version_affected": "\u003c",
                            "version_value": "20.3R2-EVO"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Juniper Networks"
              }
            ]
          }
        },
        "configuration": [
          {
            "lang": "en",
            "value": "An example of a configuration affected by this issue is shown below:\n\n  routing-instance evpn10 {\n     vtep-source-interface lo0.0;\n     instance-type evpn;\n     vlan-id 10;\n     interface xe-0/0/2.10;\n     vxlan {\n        vni 10;\n     }\n     route-distinguisher 10.255.181.13:10;\n     vrf-target target:10:10;\n     protocols {\n        evpn;\n     }\n  }"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Due to a vulnerability in DDoS protection in Juniper Networks Junos OS and Junos OS Evolved on QFX5K Series switches in a VXLAN configuration, instability might be experienced in the underlay network as a consequence of exceeding the default ddos-protection aggregate threshold. If an attacker on a client device on the overlay network sends a high volume of specific, legitimate traffic in the overlay network, due to an improperly detected DDoS violation, the leaf might not process certain L2 traffic, sent by spines in the underlay network. Continued receipt and processing of the high volume traffic will sustain the Denial of Service (DoS) condition. This issue affects: Juniper Networks Junos OS on QFX5K Series: 17.3 versions prior to 17.3R3-S11; 17.4 versions prior to 17.4R3-S5; 18.1 versions prior to 18.1R3-S13; 18.2 versions prior to 18.2R2-S8, 18.2R3-S8; 18.3 versions prior to 18.3R3-S5; 18.4 versions prior to 18.4R1-S8, 18.4R2-S6, 18.4R3-S6; 19.1 versions prior to 19.1R3-S4; 19.2 versions prior to 19.2R1-S6, 19.2R3-S2; 19.3 versions prior to 19.3R3-S2; 19.4 versions prior to 19.4R2-S4, 19.4R3-S1; 20.1 versions prior to 20.1R2; 20.2 versions prior to 20.2R2; 20.3 versions prior to 20.3R1-S2, 20.3R2. Juniper Networks Junos OS Evolved on QFX5220: All versions prior to 20.3R2-EVO."
            }
          ]
        },
        "exploit": [
          {
            "lang": "en",
            "value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
          }
        ],
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-755 Improper Handling of Exceptional Conditions"
                }
              ]
            },
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Denial of Service (DoS)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://kb.juniper.net/JSA11150",
              "refsource": "MISC",
              "url": "https://kb.juniper.net/JSA11150"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "The following software releases have been updated to resolve this specific issue:\n\nJunos OS: 17.3R3-S11, 17.4R3-S5, 18.1R3-S13, 18.2R2-S8, 18.2R3-S8, 18.3R3-S5, 18.4R1-S8, 18.4R2-S6, 18.4R3-S6, 19.1R3-S4, 19.2R1-S6, 19.2R3-S2, 19.3R3-S2, 19.4R2-S4, 19.4R3-S1, 20.1R2, 20.2R2, 20.3R1-S2, 20.3R2, 20.4R1, and all subsequent releases.\n\nJunos OS Evolved: 20.3R2-EVO, 20.4R1-EVO, and all subsequent releases."
          }
        ],
        "source": {
          "advisory": "JSA11150",
          "defect": [
            "1499681"
          ],
          "discovery": "USER"
        },
        "work_around": [
          {
            "lang": "en",
            "value": "There are no available workarounds for this issue."
          }
        ]
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
    "assignerShortName": "juniper",
    "cveId": "CVE-2021-0259",
    "datePublished": "2021-04-22T19:37:18.777052Z",
    "dateReserved": "2020-10-27T00:00:00",
    "dateUpdated": "2024-09-16T17:48:16.147Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-M8QM-RFM2-9PJV

CVE-2021-0259 (GCVE-0-2021-0259)

Tags

Sightings

Nomenclature