CVE-2021-0280

Summary

Due to an Improper Initialization vulnerability in Juniper Networks Junos OS on PTX platforms and QFX10K Series with Paradise (PE) chipset-based line cards, ddos-protection configuration changes made from the CLI will not take effect as expected beyond the default DDoS (Distributed Denial of Service) settings in the Packet Forwarding Engine (PFE). This may cause BFD sessions to flap when a high rate of specific packets are received. Flapping of BFD sessions in turn may impact routing protocols and network stability, leading to a Denial of Service (DoS) condition. Continued receipt and processing of this packet will create a sustained Denial of Service (DoS) condition. This issue affects only the following platforms with Paradise (PE) chipset-based line cards: PTX1000, PTX3000 (NextGen), PTX5000, PTX10008, PTX10016 Series and QFX10002 Series. This issue affects: Juniper Networks Junos OS 17.4 versions prior to 17.4R3-S5 on PTX Series, QFX10K Series; 18.2 versions prior to 18.2R3-S8 on PTX Series, QFX10K Series; 18.3 versions prior to 18.3R3-S5 on PTX Series, QFX10K Series; 18.4 versions prior to 18.4R2-S8 on PTX Series, QFX10K Series; 19.1 versions prior to 19.1R3-S5 on PTX Series, QFX10K Series; 19.2 versions prior to 19.2R3-S2 on PTX Series, QFX10K Series; 19.3 versions prior to 19.3R3-S2 on PTX Series, QFX10K Series; 19.4 versions prior to 19.4R3-S2 on PTX Series, QFX10K Series; 20.1 versions prior to 20.1R3 on PTX Series, QFX10K Series; 20.2 versions prior to 20.2R2-S3, 20.2R3 on PTX Series, QFX10K Series; 20.3 versions prior to 20.3R2 on PTX Series, QFX10K Series; 20.4 versions prior to 20.4R2 on PTX Series, QFX10K Series.

Affected Software

VendorProductVersion RangeStatus
Juniper NetworksJunos OS17.4 < 17.4R3-S5affected
Juniper NetworksJunos OS18.2 < 18.2R3-S8affected
Juniper NetworksJunos OS18.3 < 18.3R3-S5affected
Juniper NetworksJunos OS18.4 < 18.4R2-S8affected
Juniper NetworksJunos OS19.1 < 19.1R3-S5affected
Juniper NetworksJunos OS19.2 < 19.2R3-S2affected
Juniper NetworksJunos OS19.3 < 19.3R3-S2affected
Juniper NetworksJunos OS19.4 < 19.4R3-S2affected
Juniper NetworksJunos OS20.1 < 20.1R3affected
Juniper NetworksJunos OS20.2 < 20.2R2-S3, 20.2R3affected
Juniper NetworksJunos OS20.3 < 20.3R2, 20.3R3affected
Juniper NetworksJunos OS20.4 < 20.4R2affected

Weaknesses

  • CWE-665: CWE-665 Improper Initialization

Workarounds

The default ukern policer rate can be reduced by the CLI command: set system ddos-protection protocols <protocol-group> <aggregate | packet-type> bandwidth <packets-per-second> burst <size>

ADP Enrichment

CVE Program Container

Additional References

References