THREATINT

We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Zendesk (Helpdesk and Chat)

Ok

PUBLISHED

CVE-2024-30386

Junos OS and Junos OS Evolved: In a EVPN-VXLAN scenario state changes on adjacent systems can cause an l2ald process crash

Reserved:2024-03-26
Published:2024-04-12
Updated:2024-05-16

Description

A Use-After-Free vulnerability in the Layer 2 Address Learning Daemon (l2ald) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, adjacent attacker to cause l2ald to crash leading to a Denial-of-Service (DoS). In an EVPN-VXLAN scenario, when state updates are received and processed by the affected system, the correct order of some processing steps is not ensured, which can lead to an l2ald crash and restart. Whether the crash occurs depends on system internal timing which is outside the attackers control. This issue affects: Junos OS:  * All versions before 20.4R3-S8, * 21.2 versions before 21.2R3-S6, * 21.3 versions before 21.3R3-S5, * 21.4 versions before 21.4R3-S4, * 22.1 versions before 22.1R3-S3, * 22.2 versions before 22.2R3-S1, * 22.3 versions before 22.3R3,, * 22.4 versions before 22.4R2; Junos OS Evolved:  * All versions before 20.4R3-S8-EVO, * 21.2-EVO versions before 21.2R3-S6-EVO,  * 21.3-EVO versions before 21.3R3-S5-EVO, * 21.4-EVO versions before 21.4R3-S4-EVO, * 22.1-EVO versions before 22.1R3-S3-EVO, * 22.2-EVO versions before 22.2R3-S1-EVO, * 22.3-EVO versions before 22.3R3-EVO, * 22.4-EVO versions before 22.4R2-EVO.



MEDIUM: 5.3CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
HIGH: 7.1CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L

Problem types

CWE-416 Use After Free

Denial-of-Service (DoS)

Product status

Default status
unaffected

Any version before 20.4R3-S8
affected

21.2 before 21.2R3-S6
affected

21.3 before 21.3R3-S5
affected

21.4 before 21.4R3-S4
affected

22.1 before 22.1R3-S3
affected

22.2 before 22.2R3-S1
affected

22.3 before 22.3R3
affected

22.4 before 22.4R2
affected

Default status
unaffected

Any version before 20.4R3-S8-EVO
affected

21.2-EVO before 21.2R3-S6-EVO
affected

21.3-EVO before 21.3R3-S5-EVO
affected

21.4-EVO before 21.4R3-S4-EVO
affected

22.1-EVO before 22.1R3-S3-EVO
affected

22.2-EVO before 22.2R3-S1-EVO
affected

22.3-EVO before 22.3R3-EVO
affected

22.4-EVO before 22.4R2-EVO
affected

References

http://supportportal.juniper.net/JSA79184 vendor-advisory

https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L technical-description

cve.org CVE-2024-30386

nvd.nist.gov CVE-2024-30386

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-30386