7.5

CVE-2022-22170

A Missing Release of Resource after Effective Lifetime vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS allows an unauthenticated networked attacker to cause a Denial of Service (DoS) by sending specific packets over VXLAN which cause heap memory to leak and on exhaustion the PFE to reset. The heap memory utilization can be monitored with the command: user@host> show chassis fpc This issue affects: Juniper Networks Junos OS 19.4 versions prior to 19.4R2-S6, 19.4R3-S6; 20.1 versions prior to 20.1R3-S2; 20.2 versions prior to 20.2R3-S3; 20.3 versions prior to 20.3R3-S1; 20.4 versions prior to 20.4R3; 21.1 versions prior to 21.1R3; 21.2 versions prior to 21.2R2. This issue does not affect versions of Junos OS prior to 19.4R1.

Data is provided by the National Vulnerability Database (NVD)
JuniperJunos Version19.4 Updater1
JuniperJunos Version19.4 Updater1-s1
JuniperJunos Version19.4 Updater1-s2
JuniperJunos Version19.4 Updater1-s3
JuniperJunos Version19.4 Updater1-s4
JuniperJunos Version19.4 Updater2
JuniperJunos Version19.4 Updater2-s1
JuniperJunos Version19.4 Updater2-s2
JuniperJunos Version19.4 Updater2-s3
JuniperJunos Version19.4 Updater2-s4
JuniperJunos Version19.4 Updater2-s5
JuniperJunos Version19.4 Updater3
JuniperJunos Version19.4 Updater3-s1
JuniperJunos Version19.4 Updater3-s2
JuniperJunos Version19.4 Updater3-s3
JuniperJunos Version19.4 Updater3-s4
JuniperJunos Version19.4 Updater3-s5
JuniperJunos Version19.4 Updater3-s6
JuniperJunos Version20.1 Updater1
JuniperJunos Version20.1 Updater1-s1
JuniperJunos Version20.1 Updater1-s2
JuniperJunos Version20.1 Updater1-s3
JuniperJunos Version20.1 Updater1-s4
JuniperJunos Version20.1 Updater2
JuniperJunos Version20.1 Updater2-s1
JuniperJunos Version20.1 Updater2-s2
JuniperJunos Version20.1 Updater3
JuniperJunos Version20.1 Updater3-s1
JuniperJunos Version20.1 Updater3-s2
JuniperJunos Version20.2 Updater1
JuniperJunos Version20.2 Updater1-s1
JuniperJunos Version20.2 Updater1-s2
JuniperJunos Version20.2 Updater1-s3
JuniperJunos Version20.2 Updater2
JuniperJunos Version20.2 Updater2-s1
JuniperJunos Version20.2 Updater2-s2
JuniperJunos Version20.2 Updater2-s3
JuniperJunos Version20.2 Updater3
JuniperJunos Version20.2 Updater3-s1
JuniperJunos Version20.2 Updater3-s2
JuniperJunos Version20.3 Updater1
JuniperJunos Version20.3 Updater1-s1
JuniperJunos Version20.3 Updater2
JuniperJunos Version20.3 Updater2-s1
JuniperJunos Version20.3 Updater3
JuniperJunos Version20.3 Updater3-s1
JuniperJunos Version20.4 Updater1
JuniperJunos Version20.4 Updater1-s1
JuniperJunos Version20.4 Updater2
JuniperJunos Version20.4 Updater2-s1
JuniperJunos Version20.4 Updater2-s2
JuniperJunos Version20.4 Updater3
JuniperJunos Version21.1 Updater1
JuniperJunos Version21.1 Updater1-s1
JuniperJunos Version21.1 Updater2
JuniperJunos Version21.1 Updater2-s1
JuniperJunos Version21.2 Updater1
JuniperJunos Version21.2 Updater1-s1
JuniperJunos Version21.3 Updater1
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.39% 0.571
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:N/I:N/A:P
sirt@juniper.net 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-772 Missing Release of Resource after Effective Lifetime

The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.