Details of VAR-202201-0624

ID

VAR-202201-0624

CVE

CVE-2022-22170

TITLE

Juniper Networks Junos OS Vulnerability regarding lack of resource release after valid lifetime in

Trust: 0.8

sources: JVNDB: JVNDB-2022-003891

DESCRIPTION

A Missing Release of Resource after Effective Lifetime vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS allows an unauthenticated networked attacker to cause a Denial of Service (DoS) by sending specific packets over VXLAN which cause heap memory to leak and on exhaustion the PFE to reset. The heap memory utilization can be monitored with the command: user@host> show chassis fpc This issue affects: Juniper Networks Junos OS 19.4 versions prior to 19.4R2-S6, 19.4R3-S6; 20.1 versions prior to 20.1R3-S2; 20.2 versions prior to 20.2R3-S3; 20.3 versions prior to 20.3R3-S1; 20.4 versions prior to 20.4R3; 21.1 versions prior to 21.1R3; 21.2 versions prior to 21.2R2. This issue does not affect versions of Junos OS prior to 19.4R1. Juniper Networks Junos OS Contains a vulnerability regarding the lack of resource release after a valid lifetime.Service operation interruption (DoS) It may be in a state

Trust: 1.8

sources: NVD: CVE-2022-22170 // JVNDB: JVNDB-2022-003891 // VULHUB: VHN-409699 // VULMON: CVE-2022-22170

AFFECTED PRODUCTS

vendor:	juniper	model:	junos	scope:	eq	version:	20.2	Trust: 1.0
vendor:	juniper	model:	junos	scope:	eq	version:	21.2	Trust: 1.0
vendor:	juniper	model:	junos	scope:	eq	version:	20.4	Trust: 1.0
vendor:	juniper	model:	junos	scope:	eq	version:	20.1	Trust: 1.0
vendor:	juniper	model:	junos	scope:	eq	version:	19.4	Trust: 1.0
vendor:	juniper	model:	junos	scope:	eq	version:	21.3	Trust: 1.0
vendor:	juniper	model:	junos	scope:	eq	version:	21.1	Trust: 1.0
vendor:	juniper	model:	junos	scope:	eq	version:	20.3	Trust: 1.0
vendor:	ジュニパーネットワークス	model:	junos os	scope:	eq	version:	-	Trust: 0.8
vendor:	ジュニパーネットワークス	model:	junos os	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2022-003891 // NVD: CVE-2022-22170

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-22170
value:	HIGH
Trust: 1.0
sirt@juniper.net:	CVE-2022-22170
value:	HIGH
Trust: 1.0
NVD:	CVE-2022-22170
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202201-912
value:	HIGH
Trust: 0.6
VULHUB:	VHN-409699
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2022-22170
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2022-22170
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-409699
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2022-22170
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 2.0
OTHER:	JVNDB-2022-003891
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-409699 // VULMON: CVE-2022-22170 // JVNDB: JVNDB-2022-003891 // CNNVD: CNNVD-202201-912 // NVD: CVE-2022-22170 // NVD: CVE-2022-22170

PROBLEMTYPE DATA

problemtype:	CWE-772	Trust: 1.1
problemtype:	Lack of resource release after valid lifetime (CWE-772) [ others ]	Trust: 0.8

sources: VULHUB: VHN-409699 // JVNDB: JVNDB-2022-003891 // NVD: CVE-2022-22170

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202201-912

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-202201-912

PATCH

title:	JSA11277	url:	https://supportportal.juniper.net/s/article/2022-01-Security-Bulletin-Junos-OS-and-Junos-OS-Evolved-Specific-packets-over-VXLAN-cause-memory-leak-and-or-FPC-reset-CVE-2022-22170-CVE-2022-22171?language=en_US	Trust: 0.8
title:	Juniper Networks Junos OS Fixes for code issue vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=183776	Trust: 0.6
title:	CVE-2022-XXXX	url:	https://github.com/AlphabugX/CVE-2022-23305	Trust: 0.1
title:	CVE-2022-XXXX	url:	https://github.com/AlphabugX/CVE-2022-RCE	Trust: 0.1

sources: VULMON: CVE-2022-22170 // JVNDB: JVNDB-2022-003891 // CNNVD: CNNVD-202201-912

EXTERNAL IDS

db:	NVD	id:	CVE-2022-22170	Trust: 3.4
db:	JUNIPER	id:	JSA11277	Trust: 1.8
db:	JVNDB	id:	JVNDB-2022-003891	Trust: 0.8
db:	CS-HELP	id:	SB2022011231	Trust: 0.6
db:	CNNVD	id:	CNNVD-202201-912	Trust: 0.6
db:	VULHUB	id:	VHN-409699	Trust: 0.1
db:	VULMON	id:	CVE-2022-22170	Trust: 0.1

sources: VULHUB: VHN-409699 // VULMON: CVE-2022-22170 // JVNDB: JVNDB-2022-003891 // CNNVD: CNNVD-202201-912 // NVD: CVE-2022-22170

REFERENCES

url:	https://kb.juniper.net/jsa11277	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2022-22170	Trust: 1.4
url:	https://vigilance.fr/vulnerability/junos-os-multiple-vulnerabilities-37234	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022011231	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/772.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://github.com/alphabugx/cve-2022-23305	Trust: 0.1

sources: VULHUB: VHN-409699 // VULMON: CVE-2022-22170 // JVNDB: JVNDB-2022-003891 // CNNVD: CNNVD-202201-912 // NVD: CVE-2022-22170

SOURCES

db:	VULHUB	id:	VHN-409699
db:	VULMON	id:	CVE-2022-22170
db:	JVNDB	id:	JVNDB-2022-003891
db:	CNNVD	id:	CNNVD-202201-912
db:	NVD	id:	CVE-2022-22170

LAST UPDATE DATE

2024-08-14T14:37:42.925000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-409699	date:	2022-01-26T00:00:00
db:	VULMON	id:	CVE-2022-22170	date:	2022-01-26T00:00:00
db:	JVNDB	id:	JVNDB-2022-003891	date:	2023-03-10T05:33:00
db:	CNNVD	id:	CNNVD-202201-912	date:	2022-02-28T00:00:00
db:	NVD	id:	CVE-2022-22170	date:	2022-01-26T18:17:33.447

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-409699	date:	2022-01-19T00:00:00
db:	VULMON	id:	CVE-2022-22170	date:	2022-01-19T00:00:00
db:	JVNDB	id:	JVNDB-2022-003891	date:	2023-03-10T00:00:00
db:	CNNVD	id:	CNNVD-202201-912	date:	2022-01-12T00:00:00
db:	NVD	id:	CVE-2022-22170	date:	2022-01-19T01:15:09.080