CVE-2023-22399

Summary

When sFlow is enabled and it monitors a packet forwarded via ECMP, a buffer management vulnerability in the dcpfe process of Juniper Networks Junos OS on QFX10K Series systems allows an attacker to cause the Packet Forwarding Engine (PFE) to crash and restart by sending specific genuine packets to the device, resulting in a Denial of Service (DoS) condition. The dcpfe process tries to copy more data into a smaller buffer, which overflows and corrupts the buffer, causing a crash of the dcpfe process. Continued receipt and processing of these packets will create a sustained Denial of Service (DoS) condition. This issue affects Juniper Networks Junos OS on QFX10K Series: All versions prior to 19.4R3-S9; 20.2 versions prior to 20.2R3-S6; 20.3 versions prior to 20.3R3-S6; 20.4 versions prior to 20.4R3-S5; 21.1 versions prior to 21.1R3-S4; 21.2 versions prior to 21.2R3-S3; 21.3 versions prior to 21.3R3-S2; 21.4 versions prior to 21.4R2-S2, 21.4R3; 22.1 versions prior to 22.1R2; 22.2 versions prior to 22.2R1-S2, 22.2R2.

Affected Software

VendorProductVersion RangeStatus
Juniper NetworksJunos OSunspecified < 19.4R3-S9affected
Juniper NetworksJunos OS20.2 < 20.2R3-S6affected
Juniper NetworksJunos OS20.3 < 20.3R3-S6affected
Juniper NetworksJunos OS20.4 < 20.4R3-S5affected
Juniper NetworksJunos OS21.1 < 21.1R3-S4affected
Juniper NetworksJunos OS21.2 < 21.2R3-S3affected
Juniper NetworksJunos OS21.3 < 21.3R3-S2affected
Juniper NetworksJunos OS21.4 < 21.4R2-S2, 21.4R3affected
Juniper NetworksJunos OS22.1 < 22.1R2affected
Juniper NetworksJunos OS22.2 < 22.2R1-S2, 22.2R2affected

Weaknesses

  • CWE-120: CWE-120 Buffer Overflow
  • Denial of Service (DoS)

Workarounds

  1. Prevent sflow from monitoring ECMP forwarded packets.

  2. Temporarily disable sFlow to mitigate this issue.

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References