Sign-up

ID

VAR-202201-0896


CVE

CVE-2022-22173


TITLE

Juniper Networks Junos OS  Vulnerability regarding lack of memory release after expiration in

Trust: 0.8

sources: JVNDB: JVNDB-2022-004207

DESCRIPTION

A Missing Release of Memory after Effective Lifetime vulnerability in the Public Key Infrastructure daemon (pkid) of Juniper Networks Junos OS allows an unauthenticated networked attacker to cause Denial of Service (DoS). In a scenario where Public Key Infrastructure (PKI) is used in combination with Certificate Revocation List (CRL), if the CRL fails to download the memory allocated to store the CRL is not released. Repeated occurrences will eventually consume all available memory and lead to an inoperable state of the affected system causing a DoS. This issue affects Juniper Networks Junos OS: All versions prior to 18.3R3-S6; 18.4 versions prior to 18.4R2-S9, 18.4R3-S10; 19.1 versions prior to 19.1R2-S3, 19.1R3-S7; 19.2 versions prior to 19.2R1-S8, 19.2R3-S4; 19.3 versions prior to 19.3R3-S4; 19.4 versions prior to 19.4R2-S5, 19.4R3-S5; 20.1 versions prior to 20.1R3-S1; 20.2 versions prior to 20.2R3-S2; 20.3 versions prior to 20.3R3-S1; 20.4 versions prior to 20.4R3; 21.1 versions prior to 21.1R2, 21.1R3; 21.2 versions prior to 21.2R1-S1, 21.2R2. This issue can be observed by monitoring the memory utilization of the pkid process via: root@jtac-srx1500-r2003> show system processes extensive | match pki 20931 root 20 0 733M 14352K select 0:00 0.00% pkid which increases over time: root@jtac-srx1500-r2003> show system processes extensive | match pki 22587 root 20 0 901M 181M select 0:03 0.00% pkid. Juniper Networks Junos OS is a set of network operating system of Juniper Networks (Juniper Networks) dedicated to the company's hardware equipment. The operating system provides a secure programming interface and Junos SDK. An attacker could exploit this vulnerability to perform a DoS attack on the target system

Trust: 1.8

sources: NVD: CVE-2022-22173 // JVNDB: JVNDB-2022-004207 // VULHUB: VHN-409702 // VULMON: CVE-2022-22173

AFFECTED PRODUCTS

vendor:junipermodel:junosscope:eqversion:18.3

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:21.1

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:20.3

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:20.4

Trust: 1.0

vendor:junipermodel:junosscope:ltversion:18.3

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:19.4

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:19.1

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:18.4

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:21.2

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:20.1

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:20.2

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:19.3

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:19.2

Trust: 1.0

vendor:ジュニパーネットワークスmodel:junos osscope:eqversion: -

Trust: 0.8

vendor:ジュニパーネットワークスmodel:junos osscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2022-004207 // NVD: CVE-2022-22173

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-22173
value: HIGH

Trust: 1.0

sirt@juniper.net: CVE-2022-22173
value: HIGH

Trust: 1.0

NVD: CVE-2022-22173
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202201-909
value: HIGH

Trust: 0.6

VULHUB: VHN-409702
value: MEDIUM

Trust: 0.1

VULMON: CVE-2022-22173
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2022-22173
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-409702
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2022-22173
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 2.0

OTHER: JVNDB-2022-004207
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-409702 // VULMON: CVE-2022-22173 // JVNDB: JVNDB-2022-004207 // CNNVD: CNNVD-202201-909 // NVD: CVE-2022-22173 // NVD: CVE-2022-22173

PROBLEMTYPE DATA

problemtype:CWE-401

Trust: 1.1

problemtype:Lack of memory release after expiration (CWE-401) [ others ]

Trust: 0.8

sources: VULHUB: VHN-409702 // JVNDB: JVNDB-2022-004207 // NVD: CVE-2022-22173

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202201-909

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202201-909

PATCH

title:JSA11279url:https://supportportal.juniper.net/s/article/2022-01-Security-Bulletin-Junos-OS-CRL-failing-to-download-causes-a-memory-leak-and-ultimately-a-DoS-CVE-2022-22173?language=en_US

Trust: 0.8

title:Juniper Networks Junos OS Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=183775

Trust: 0.6

title:CVE-2022-XXXXurl:https://github.com/AlphabugX/CVE-2022-23305

Trust: 0.1

title:CVE-2022-XXXXurl:https://github.com/AlphabugX/CVE-2022-RCE

Trust: 0.1

sources: VULMON: CVE-2022-22173 // JVNDB: JVNDB-2022-004207 // CNNVD: CNNVD-202201-909

EXTERNAL IDS

db:NVDid:CVE-2022-22173

Trust: 3.4

db:JUNIPERid:JSA11279

Trust: 1.8

db:JVNDBid:JVNDB-2022-004207

Trust: 0.8

db:CS-HELPid:SB2022011229

Trust: 0.6

db:CNNVDid:CNNVD-202201-909

Trust: 0.6

db:CNVDid:CNVD-2022-08294

Trust: 0.1

db:VULHUBid:VHN-409702

Trust: 0.1

db:VULMONid:CVE-2022-22173

Trust: 0.1

sources: VULHUB: VHN-409702 // VULMON: CVE-2022-22173 // JVNDB: JVNDB-2022-004207 // CNNVD: CNNVD-202201-909 // NVD: CVE-2022-22173

REFERENCES

url:https://kb.juniper.net/jsa11279

Trust: 1.8

url:https://nvd.nist.gov/vuln/detail/cve-2022-22173

Trust: 1.4

url:https://www.cybersecurity-help.cz/vdb/sb2022011229

Trust: 0.6

url:https://vigilance.fr/vulnerability/junos-os-multiple-vulnerabilities-37234

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/401.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://github.com/alphabugx/cve-2022-23305

Trust: 0.1

sources: VULHUB: VHN-409702 // VULMON: CVE-2022-22173 // JVNDB: JVNDB-2022-004207 // CNNVD: CNNVD-202201-909 // NVD: CVE-2022-22173

SOURCES

db:VULHUBid:VHN-409702
db:VULMONid:CVE-2022-22173
db:JVNDBid:JVNDB-2022-004207
db:CNNVDid:CNNVD-202201-909
db:NVDid:CVE-2022-22173

LAST UPDATE DATE

2024-11-23T22:20:40.591000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-409702date:2022-02-01T00:00:00
db:VULMONid:CVE-2022-22173date:2022-02-01T00:00:00
db:JVNDBid:JVNDB-2022-004207date:2023-03-31T01:24:00
db:CNNVDid:CNNVD-202201-909date:2022-02-28T00:00:00
db:NVDid:CVE-2022-22173date:2024-11-21T06:46:18.913

SOURCES RELEASE DATE

db:VULHUBid:VHN-409702date:2022-01-19T00:00:00
db:VULMONid:CVE-2022-22173date:2022-01-19T00:00:00
db:JVNDBid:JVNDB-2022-004207date:2023-03-31T00:00:00
db:CNNVDid:CNNVD-202201-909date:2022-01-12T00:00:00
db:NVDid:CVE-2022-22173date:2022-01-19T01:15:09.267