CVE-2022-22220

Summary

A Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Routing Protocol Daemon (rpd) of Juniper Networks Junos OS, Junos OS Evolved allows a network-based unauthenticated attacker to cause a Denial of Service (DoS). When a BGP flow route with redirect IP extended community is received, and the reachability to the next-hop of the corresponding redirect IP is flapping, the rpd process might crash. Whether the crash occurs depends on the timing of the internally processing of these two events and is outside the attackers control. Please note that this issue also affects Route-Reflectors unless 'routing-options flow firewall-install-disable' is configured. This issue affects: Juniper Networks Junos OS: 18.4 versions prior to 18.4R2-S10, 18.4R3-S10; 19.1 versions prior to 19.1R3-S7; 19.2 versions prior to 19.2R1-S8, 19.2R3-S4; 19.4 versions prior to 19.4R3-S8; 20.2 versions prior to 20.2R3-S3; 20.3 versions prior to 20.3R3-S2; 20.4 versions prior to 20.4R3; 21.1 versions prior to 21.1R2. Juniper Networks Junos OS Evolved: All versions prior to 20.4R2-EVO; 21.1-EVO versions prior to 21.1R2-EVO. This issue does not affect Juniper Networks Junos OS versions prior to 18.4R1.

Affected Software

VendorProductVersion RangeStatus
Juniper NetworksJunos OSunspecified < 18.4R1unaffected
Juniper NetworksJunos OS18.4 < 18.4R2-S10, 18.4R3-S10affected
Juniper NetworksJunos OS19.1 < 19.1R3-S7affected
Juniper NetworksJunos OS19.2 < 19.2R1-S8, 19.2R3-S4affected
Juniper NetworksJunos OS19.4 < 19.4R3-S8affected
Juniper NetworksJunos OS20.2 < 20.2R3-S3affected
Juniper NetworksJunos OS20.3 < 20.3R3-S2affected
Juniper NetworksJunos OS20.4 < 20.4R3affected
Juniper NetworksJunos OS21.1 < 21.1R2affected
Juniper NetworksJunos OS Evolvedunspecified < 20.4R2-EVOaffected
Juniper NetworksJunos OS Evolved21.1-EVO < 21.1R2-EVOaffected

Weaknesses

  • CWE-367: CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition
  • Denial of Service (DoS)

Workarounds

There are no viable workarounds for this issue.

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References