CVE-2024-39549
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
A Missing Release of Memory after Effective Lifetime vulnerability in the routing process daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an attacker to send a malformed BGP Path attribute update which allocates memory used to log the bad path attribute. This memory is not properly freed in all circumstances, leading to a Denial of Service (DoS).
Consumed memory can be freed by manually restarting Routing Protocol Daemon (rpd).
Memory utilization could be monitored by: user@host> show system memory or show system monitor memory status
This issue affects:
Junos OS: * All versions before 21.2R3-S8,
from 21.4 before 21.4R3-S8,
from 22.2 before 22.2R3-S4,
from 22.3 before 22.3R3-S3,
from 22.4 before 22.4R3-S3,
from 23.2 before 23.2R2-S1,
from 23.4 before 23.4R1-S2, 23.4R2.
Junos OS Evolved:
All versions before 21.2R3-S8-EVO,
from 21.4 before 21.4R3-S8-EVO,
from 22.2 before 22.2R3-S4-EVO,
from 22.3 before 22.3R3-S3-EVO,
from 22.4 before 22.4R3-S3-EVO,
from 23.2 before 23.2R2-S1-EVO,
from 23.4 before 23.4R1-S2-EVO, 23.4R2-EVO.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Juniper Networks | Junos OS | 0 < 21.2R3-S8 | affected |
| Juniper Networks | Junos OS | 21.4 < 21.4R3-S8 | affected |
| Juniper Networks | Junos OS | 22.2 < 22.2R3-S4 | affected |
| Juniper Networks | Junos OS | 22.3 < 22.3R3-S3 | affected |
| Juniper Networks | Junos OS | 22.4 < 22.4R3-S3 | affected |
| Juniper Networks | Junos OS | 23.2 < 23.2R2-S1 | affected |
| Juniper Networks | Junos OS | 23.4 < 23.4R1-S2, 23.4R2 | affected |
| Juniper Networks | Junos OS Evolved | 0 < 21.2R3-S8-EVO | affected |
| Juniper Networks | Junos OS Evolved | 21.4 < 21.4R3-S8-EVO | affected |
| Juniper Networks | Junos OS Evolved | 22.2 < 22.2R3-S4-EVO | affected |
| Juniper Networks | Junos OS Evolved | 22.3 < 22.3R3-S3-EVO | affected |
| Juniper Networks | Junos OS Evolved | 22.4 < 22.4R3-S3-EVO | affected |
| Juniper Networks | Junos OS Evolved | 23.2 < 23.2R2-S1-EVO | affected |
| Juniper Networks | Junos OS Evolved | 23.4 < 23.4R1-S2-EVO, 23.4R2-EVO | affected |
Weaknesses
- CWE-401: CWE-401: Missing Release of Memory after Effective Lifetime
Workarounds
There are no known workarounds for this issue.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.