CVE-2019-0036

Summary

When configuring a stateless firewall filter in Junos OS, terms named using the format "internal-n" (e.g. "internal-1", "internal-2", etc.) are silently ignored. No warning is issued during configuration, and the config is committed without error, but the filter criteria will match all packets leading to unexpected results. Affected releases are Juniper Networks Junos OS: All versions prior to and including 12.3; 14.1X53 versions prior to 14.1X53-D130, 14.1X53-D49; 15.1 versions prior to 15.1F6-S12, 15.1R7-S4; 15.1X49 versions prior to 15.1X49-D161, 15.1X49-D170; 15.1X53 versions prior to 15.1X53-D236, 15.1X53-D496, 15.1X53-D69; 16.1 versions prior to 16.1R7-S4, 16.1R7-S5; 16.2 versions prior to 16.2R2-S9; 17.1 versions prior to 17.1R3; 17.2 versions prior to 17.2R1-S8, 17.2R3-S1; 17.3 versions prior to 17.3R3-S4; 17.4 versions prior to 17.4R1-S7, 17.4R2-S3; 18.1 versions prior to 18.1R2-S4, 18.1R3-S4; 18.2 versions prior to 18.2R1-S5, 18.2R2-S1; 18.2X75 versions prior to 18.2X75-D40; 18.3 versions prior to 18.3R1-S3; 18.4 versions prior to 18.4R1-S1, 18.4R1-S2.

Affected Software

VendorProductVersion RangeStatus
Juniper NetworksJunos OS12.1X46affected
Juniper NetworksJunos OS12.3X48affected
Juniper NetworksJunos OS12.3affected
Juniper NetworksJunos OS14.1X53 < 14.1X53-D130, 14.1X53-D49affected
Juniper NetworksJunos OS15.1 < 15.1F6-S12, 15.1R7-S4affected
Juniper NetworksJunos OS15.1X49 < 15.1X49-D161, 15.1X49-D170affected
Juniper NetworksJunos OS15.1X53 < 15.1X53-D236, 15.1X53-D496, 15.1X53-D69affected
Juniper NetworksJunos OS16.1 < 16.1R7-S4, 16.1R7-S5affected
Juniper NetworksJunos OS16.2 < 16.2R2-S9affected
Juniper NetworksJunos OS17.1 < 17.1R3affected
Juniper NetworksJunos OS17.2 < 17.2R1-S8, 17.2R3-S1affected
Juniper NetworksJunos OS17.3 < 17.3R3-S4affected
Juniper NetworksJunos OS17.4 < 17.4R1-S7, 17.4R2-S3affected
Juniper NetworksJunos OS18.1 < 18.1R2-S4, 18.1R3-S4affected
Juniper NetworksJunos OS18.2 < 18.2R1-S5, 18.2R2-S1affected
Juniper NetworksJunos OS18.2X75 < 18.2X75-D40affected
Juniper NetworksJunos OS18.3 < 18.3R1-S3affected
Juniper NetworksJunos OS18.4 < 18.4R1-S1, 18.4R1-S2affected

Weaknesses

  • CWE-284: CWE-284 Improper Access Control

Workarounds

Avoid configuring firewall filter names of the format: internal-n.

ADP Enrichment

CVE Program Container

Additional References

References