Vulnerability Name:

CVE-2022-22211 (CCN-238501)

Assigned:2021-12-21
Published:2022-10-12
Updated:2022-10-21
Summary:A limitless resource allocation vulnerability in FPC resources of Juniper Networks Junos OS Evolved on PTX Series allows an unprivileged attacker to cause Denial of Service (DoS). Continuously polling the SNMP jnxCosQstatTable causes the FPC to run out of GUID space, causing a Denial of Service to the FPC resources. When the FPC runs out of the GUID space, you will see the following syslog messages. The evo-aftmand-bt process is asserting. fpc1 evo-aftmand-bt[17556]: %USER-3: get_next_guid: Ran out of Guid Space start 1748051689472 end 1752346656767 fpc1 audit[17556]: %AUTH-5: ANOM_ABEND auid=4294967295 uid=0 gid=0 ses=4294967295 pid=17556 comm="EvoAftManBt-mai" exe="/usr/sbin/evo-aftmand-bt" sig=6 fpc1 kernel: %KERN-5: audit: type=1701 audit(1648567505.119:57): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=17556 comm="EvoAftManBt-mai" exe="/usr/sbin/evo-aftmand-bt" sig=6 fpc1 emfd-fpa[14438]: %USER-5: Alarm set: APP color=red, class=CHASSIS, reason=Application evo-aftmand-bt fail on node Fpc1 fpc1 emfd-fpa[14438]: %USER-3-EMF_FPA_ALARM_REP: RaiseAlarm: Alarm(Location: /Chassis[0]/Fpc[1] Module: sysman Object: evo-aftmand-bt:0 Error: 2) reported fpc1 sysepochman[12738]: %USER-5-SYSTEM_REBOOT_EVENT: Reboot [node] [ungraceful reboot] [evo-aftmand-bt exited] The FPC resources can be monitored using the following commands: user@router> start shell [vrf:none] user@router-re0:~$ cli -c "show platform application-info allocations app evo-aftmand-bt" | grep ^fpc | grep -v Route | grep -i -v Nexthop | awk '{total[$1] += $5} END { for (key in total) { print key " " total[key]/4294967296 }}' Once the FPCs become unreachable they must be manually restarted as they do not self-recover. This issue affects Juniper Networks Junos OS Evolved on PTX Series: All versions prior to 20.4R3-S4-EVO; 21.1-EVO version 21.1R1-EVO and later versions; 21.2-EVO version 21.2R1-EVO and later versions; 21.3-EVO versions prior to 21.3R3-EVO; 21.4-EVO versions prior to 21.4R2-EVO; 22.1-EVO versions prior to 22.1R2-EVO.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
CVSS v2 Severity:7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Complete
Vulnerability Type:CWE-770
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2022-22211

Source: XF
Type: UNKNOWN
juniper-cve202222211-dos(238501)

Source: CONFIRM
Type: Permissions Required
https://kb.juniper.net/JSA69916

Source: CCN
Type: Juniper Networks Security Bulletin JSA69916
Junos OS Evolved: PTX Series: Multiple FPCs become unreachable due to continuous polling of specific SNMP OID (CVE-2022-22211)

Vulnerable Configuration:Configuration 1:
  • cpe:/o:juniper:junos_os_evolved:20.4:r1:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos_os_evolved:21.1:r1:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos_os_evolved:21.1:r2:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos_os_evolved:21.1:r1-s1:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos_os_evolved:21.2:r1:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos_os_evolved:21.2:r1-s1:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos_os_evolved:21.2:r2:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos_os_evolved:21.1:-:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos_os_evolved:20.4:r1-s1:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos_os_evolved:*:*:*:*:*:*:*:* (Version < 20.4)
  • OR cpe:/o:juniper:junos_os_evolved:20.4:-:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos_os_evolved:20.4:r1-s2:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos_os_evolved:20.4:r2:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos_os_evolved:20.4:r2-s1:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos_os_evolved:20.4:r2-s2:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos_os_evolved:20.4:r2-s3:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos_os_evolved:20.4:r3:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos_os_evolved:20.4:r3-s1:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos_os_evolved:20.4:r3-s2:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos_os_evolved:21.2:-:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos_os_evolved:21.2:r1-s2:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos_os_evolved:21.2:r2-s1:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos_os_evolved:21.2:r2-s2:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos_os_evolved:21.3:r1:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos_os_evolved:21.3:r1-s1:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos_os_evolved:21.4:r1:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos_os_evolved:21.4:r1-s1:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos_os_evolved:21.4:r1-s2:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos_os_evolved:20.4:r3-s3:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos_os_evolved:21.1:r3:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos_os_evolved:21.1:r3-s1:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos_os_evolved:21.2:r3:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos_os_evolved:21.3:-:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos_os_evolved:21.3:r2:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos_os_evolved:21.3:r2-s1:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos_os_evolved:21.3:r2-s2:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos_os_evolved:21.4:-:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos_os_evolved:22.1:r1:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos_os_evolved:22.1:r1-s1:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos_os_evolved:22.1:r1-s2:*:*:*:*:*:*
  • AND
  • cpe:/h:juniper:ptx1000:-:*:*:*:*:*:*:*
  • OR cpe:/h:juniper:ptx3000:-:*:*:*:*:*:*:*
  • OR cpe:/h:juniper:ptx5000:-:*:*:*:*:*:*:*
  • OR cpe:/h:juniper:ptx10002:-:*:*:*:*:*:*:*
  • OR cpe:/h:juniper:ptx10008:-:*:*:*:*:*:*:*
  • OR cpe:/h:juniper:ptx10016:-:*:*:*:*:*:*:*
  • OR cpe:/h:juniper:ptx10000:-:*:*:*:*:*:*:*
  • OR cpe:/h:juniper:ptx10001:-:*:*:*:*:*:*:*
  • OR cpe:/h:juniper:ptx10003:-:*:*:*:*:*:*:*
  • OR cpe:/h:juniper:ptx10001-36mr:-:*:*:*:*:*:*:*
  • OR cpe:/h:juniper:ptx100016:-:*:*:*:*:*:*:*
  • OR cpe:/h:juniper:ptx10002-60c:-:*:*:*:*:*:*:*
  • OR cpe:/h:juniper:ptx10003_160c:-:*:*:*:*:*:*:*
  • OR cpe:/h:juniper:ptx10003_80c:-:*:*:*:*:*:*:*
  • OR cpe:/h:juniper:ptx10003_81cd:-:*:*:*:*:*:*:*
  • OR cpe:/h:juniper:ptx10004:-:*:*:*:*:*:*:*
  • OR cpe:/h:juniper:ptx1000-72q:-:*:*:*:*:*:*:*

  • Configuration CCN 1:
  • cpe:/o:juniper:junos_os_evolved:*:*:*:*:*:*:*:*

  • * Denotes that component is vulnerable
    BACK
    juniper junos os evolved 20.4 r1
    juniper junos os evolved 21.1 r1
    juniper junos os evolved 21.1 r2
    juniper junos os evolved 21.1 r1-s1
    juniper junos os evolved 21.2 r1
    juniper junos os evolved 21.2 r1-s1
    juniper junos os evolved 21.2 r2
    juniper junos os evolved 21.1 -
    juniper junos os evolved 20.4 r1-s1
    juniper junos os evolved *
    juniper junos os evolved 20.4 -
    juniper junos os evolved 20.4 r1-s2
    juniper junos os evolved 20.4 r2
    juniper junos os evolved 20.4 r2-s1
    juniper junos os evolved 20.4 r2-s2
    juniper junos os evolved 20.4 r2-s3
    juniper junos os evolved 20.4 r3
    juniper junos os evolved 20.4 r3-s1
    juniper junos os evolved 20.4 r3-s2
    juniper junos os evolved 21.2 -
    juniper junos os evolved 21.2 r1-s2
    juniper junos os evolved 21.2 r2-s1
    juniper junos os evolved 21.2 r2-s2
    juniper junos os evolved 21.3 r1
    juniper junos os evolved 21.3 r1-s1
    juniper junos os evolved 21.4 r1
    juniper junos os evolved 21.4 r1-s1
    juniper junos os evolved 21.4 r1-s2
    juniper junos os evolved 20.4 r3-s3
    juniper junos os evolved 21.1 r3
    juniper junos os evolved 21.1 r3-s1
    juniper junos os evolved 21.2 r3
    juniper junos os evolved 21.3 -
    juniper junos os evolved 21.3 r2
    juniper junos os evolved 21.3 r2-s1
    juniper junos os evolved 21.3 r2-s2
    juniper junos os evolved 21.4 -
    juniper junos os evolved 22.1 r1
    juniper junos os evolved 22.1 r1-s1
    juniper junos os evolved 22.1 r1-s2
    juniper ptx1000 -
    juniper ptx3000 -
    juniper ptx5000 -
    juniper ptx10002 -
    juniper ptx10008 -
    juniper ptx10016 -
    juniper ptx10000 -
    juniper ptx10001 -
    juniper ptx10003 -
    juniper ptx10001-36mr -
    juniper ptx100016 -
    juniper ptx10002-60c -
    juniper ptx10003 160c -
    juniper ptx10003 80c -
    juniper ptx10003 81cd -
    juniper ptx10004 -
    juniper ptx1000-72q -
    juniper junos os evolved *