Denial of service in Junos OS IPv6
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2022-22155 |
| CWE-ID | CWE-400 |
| Exploitation vector | Local network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Juniper Junos OS Operating systems & Components / Operating system |
| Vendor | Juniper Networks, Inc. |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Resource exhaustion
EUVDB-ID: #VU59627
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-22155
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources while handling IPv6 neighbor state change events. A remote attacker on the local network can trigger a memory leak in the Flexible PIC Concentrator (FPC) of an ACX5448 router. The continuous flapping of an IPv6 neighbor with specific timing will cause the FPC to run out of resources, leading to a Denial of Service (DoS) condition.
MitigationInstall updates from vendor's website.
Vulnerable software versionsJuniper Junos OS: 18.4 - 20.3
CPE2.3- cpe:2.3:o:juniper_networks:juniper_junos_os:19.2R3-S1:*:*:*:*:*:*:*
- cpe:2.3:o:juniper_networks:juniper_junos_os:19.2R1-S4:*:*:*:*:*:*:*
- cpe:2.3:o:juniper_networks:juniper_junos_os:18.4R3-S9:*:*:*:*:*:*:*
- cpe:2.3:o:juniper_networks:juniper_junos_os:18.4R1-S5:*:*:*:*:*:*:*
- cpe:2.3:o:juniper_networks:juniper_junos_os:18.4R2-S3:*:*:*:*:*:*:*
- cpe:2.3:o:juniper_networks:juniper_junos_os:19.3R3-S1:*:*:*:*:*:*:*
- cpe:2.3:o:juniper_networks:juniper_junos_os:19.3R1-S1:*:*:*:*:*:*:*
- cpe:2.3:o:juniper_networks:juniper_junos_os:19.3R2-S7:*:*:*:*:*:*:*
- cpe:2.3:o:juniper_networks:juniper_junos_os:19.1R3-S4:*:*:*:*:*:*:*
- cpe:2.3:o:juniper_networks:juniper_junos_os:19.1R1-S4:*:*:*:*:*:*:*
- cpe:2.3:o:juniper_networks:juniper_junos_os:20.3:*:*:*:*:*:*:*
- cpe:2.3:o:juniper_networks:juniper_junos_os:20.2R1-S3:*:*:*:*:*:*:*
- cpe:2.3:o:juniper_networks:juniper_junos_os:19.4R2-S8:*:*:*:*:*:*:*
- cpe:2.3:o:juniper_networks:juniper_junos_os:19.4R1-S4:*:*:*:*:*:*:*
- cpe:2.3:o:juniper_networks:juniper_junos_os:20.1R1-S4:*:*:*:*:*:*:*
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA11263&cat=SIRT_1&actp=LIST
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
