Memory leak in Juniper Junos OS

1) Memory leak

EUVDB-ID: #VU82500

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2022-22205

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

A Missing Release of Memory after Effective Lifetime vulnerability in the Application Quality of Experience (appqoe) subsystem of the PFE of Juniper Networks Junos OS on SRX Series allows an unauthenticated network based attacker to cause a Denial of Service (DoS).

 Upon receiving specific traffic a memory leak will occur.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Juniper Junos OS: 20.3R1-S1 - 21.3R1

CPE2.3

• cpe:2.3:o:juniper_networks:juniper_junos_os:20.3R1-S1:*:*:*:*:*:*:*
• cpe:2.3:o:juniper_networks:juniper_junos_os:20.3R1-S2:*:*:*:*:*:*:*
• cpe:2.3:o:juniper_networks:juniper_junos_os:20.3R2-S1:*:*:*:*:*:*:*
• cpe:2.3:o:juniper_networks:juniper_junos_os:20.3R3-S1:*:*:*:*:*:*:*
• cpe:2.3:o:juniper_networks:juniper_junos_os:20.3:*:*:*:*:*:*:*
• cpe:2.3:o:juniper_networks:juniper_junos_os:20.3R1:*:*:*:*:*:*:*
• cpe:2.3:o:juniper_networks:juniper_junos_os:20.3R2:*:*:*:*:*:*:*
• cpe:2.3:o:juniper_networks:juniper_junos_os:20.3R3:*:*:*:*:*:*:*
• cpe:2.3:o:juniper_networks:juniper_junos_os:20.4R1-S1:*:*:*:*:*:*:*
• cpe:2.3:o:juniper_networks:juniper_junos_os:20.4R2-S1:*:*:*:*:*:*:*

External links

https://supportportal.juniper.net/s/article/2022-07-Security-Bulletin-Junos-OS-SRX-Series-An-FPC-memory-leak-can-occur-in-an-APBR-scenario-CVE-2022-22205

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.