CVE-2020-1685

Summary

When configuring stateless firewall filters in Juniper Networks EX4600 and QFX 5000 Series devices using Virtual Extensible LAN protocol (VXLAN), the discard action will fail to discard traffic under certain conditions. Given a firewall filter configuration similar to: family ethernet-switching { filter L2-VLAN { term ALLOW { from { user-vlan-id 100; } then { accept; } } term NON-MATCH { then { discard; } } when there is only one term containing a 'user-vlan-id' match condition, and no other terms in the firewall filter except discard, the discard action for non-matching traffic will only discard traffic with the same VLAN ID specified under 'user-vlan-id'. Other traffic (e.g. VLAN ID 200) will not be discarded. This unexpected behavior can lead to unintended traffic passing through the interface where the firewall filter is applied. This issue only affects systems using VXLANs. This issue affects Juniper Networks Junos OS on QFX5K Series: 18.1 versions prior to 18.1R3-S7, except 18.1R3; 18.2 versions prior to 18.2R2-S7, 18.2R3-S1; 18.3 versions prior to 18.3R1-S5, 18.3R2-S4, 18.3R3; 18.4 versions prior to 18.4R1-S7, 18.4R2-S1, 18.4R3; 19.1 versions prior to 19.1R1-S5, 19.1R2; 19.2 versions prior to 19.2R1-S5, 19.2R2.

Affected Software

VendorProductVersion RangeStatus
Juniper NetworksJunos OS18.1R3unaffected
Juniper NetworksJunos OS18.1 < 18.1R3-S7affected
Juniper NetworksJunos OS18.2 < 18.2R2-S7, 18.2R3-S1affected
Juniper NetworksJunos OS18.3 < 18.3R1-S5, 18.3R2-S4, 18.3R3affected
Juniper NetworksJunos OS18.4 < 18.4R1-S7, 18.4R2-S1, 18.4R3affected
Juniper NetworksJunos OS19.1 < 19.1R1-S5, 19.1R2affected
Juniper NetworksJunos OS19.2 < 19.2R1-S5, 19.2R2affected

Weaknesses

  • CWE-203: CWE-203 Information Exposure Through Discrepancy

Workarounds

Avoid using the user-vlan-id match criteria.

ADP Enrichment

CVE Program Container

Additional References

References