296,213
Total vulnerabilities in the database
When a device running Juniper Networks Junos OS with MPC7, MPC8, or MPC9 line cards installed and the system is configured for inline IP reassembly, used by L2TP, MAP-E, GRE, and IPIP, the packet forwarding engine (PFE) will become disabled upon receipt of small fragments requiring reassembly, generating the following error messages: [LOG: Err] MQSS(2): WO: Packet Error - Error Packets 1, Connection 29 [LOG: Err] eachip_hmcif_rx_intr_handler(7259): EA[2:0]: HMCIF Rx: Injected checksum error detected on WO response - Chunk Address 0x0 [LOG: Err] MQSS(2): DRD: RORD1: CMD reorder ID error - Command 11, Reorder ID 1960, QID 0 [LOG: Err] MQSS(2): DRD: UNROLL0: HMC chunk address error in stage 5 - Chunk Address: 0xc38fb1 [LOG: Notice] Error: /fpc/0/pfe/0/cm/0/MQSS(2)/2/MQSS_CMERROR_DRD_RORD_ENG_INT_REG_CMD_FSM_STATE_ERR (0x2203cc), scope: pfe, category: functional, severity: major, module: MQSS(2), type: DRD_RORD_ENG_INT: CMD FSM State Error [LOG: Notice] Performing action cmalarm for error /fpc/0/pfe/0/cm/0/MQSS(2)/2/MQSS_CMERROR_DRD_RORD_ENG_INT_REG_CMD_FSM_STATE_ERR (0x2203cc) in module: MQSS(2) with scope: pfe category: functional level: major [LOG: Notice] Performing action get-state for error /fpc/0/pfe/0/cm/0/MQSS(2)/2/MQSS_CMERROR_DRD_RORD_ENG_INT_REG_CMD_FSM_STATE_ERR (0x2203cc) in module: MQSS(2) with scope: pfe category: functional level: major [LOG: Notice] Performing action disable-pfe for error /fpc/0/pfe/0/cm/0/MQSS(2)/2/MQSS_CMERROR_DRD_RORD_ENG_INT_REG_CMD_FSM_STATE_ERR (0x2203cc) in module: MQSS(2) with scope: pfe category: functional level: major By continuously sending fragmented packets that cannot be reassembled, an attacker can repeatedly disable the PFE causing a sustained Denial of Service (DoS). This issue affects Juniper Networks Junos OS: 17.2 versions prior to 17.2R3-S4 on MX Series; 17.3 versions prior to 17.3R3-S8 on MX Series; 17.4 versions prior to 17.4R2-S9, 17.4R3-S1 on MX Series; 18.1 versions prior to 18.1R3-S10 on MX Series; 18.2 versions prior to 18.2R2-S6, 18.2R3-S3 on MX Series; 18.2X75 versions prior to 18.2X75-D34, 18.2X75-D41, 18.2X75-D53, 18.2X75-D65, 18.2X75-D430 on MX Series; 18.3 versions prior to 18.3R1-S7, 18.3R2-S4, 18.3R3-S2 on MX Series; 18.4 versions prior to 18.4R1-S6, 18.4R2-S4, 18.4R3 on MX Series; 19.1 versions prior to 19.1R1-S4, 19.1R2-S1, 19.1R3 on MX Series; 19.2 versions prior to 19.2R1-S3, 19.2R2 on MX Series; 19.3 versions prior to 19.3R2-S2, 19.3R3 on MX Series. This issue is specific to inline IP reassembly, introduced in Junos OS 17.2. Versions of Junos OS prior to 17.2 are unaffected by this vulnerability.
| Software | From | Fixed in |
|---|---|---|
| juniper / junos | 17.2-r1 | 17.2-r1.x |
| juniper / junos | 17.2-r2 | 17.2-r2.x |
| juniper / junos | 17.2-r1-s2 | 17.2-r1-s2.x |
| juniper / junos | 17.2-r2-s6 | 17.2-r2-s6.x |
| juniper / junos | 17.2-r1-s1 | 17.2-r1-s1.x |
| juniper / junos | 17.2-r1-s3 | 17.2-r1-s3.x |
| juniper / junos | 17.2-r1-s5 | 17.2-r1-s5.x |
| juniper / junos | 17.2-r1-s4 | 17.2-r1-s4.x |
| juniper / junos | 17.2-r1-s7 | 17.2-r1-s7.x |
| juniper / junos | 17.2 | 17.2.x |
| juniper / junos | 17.2-r2-s7 | 17.2-r2-s7.x |
| juniper / junos | 17.2-r3-s1 | 17.2-r3-s1.x |
| juniper / junos | 17.2-r1-s8 | 17.2-r1-s8.x |
| juniper / junos | 17.2-r3-s2 | 17.2-r3-s2.x |
| juniper / junos | 17.2-r2-s11 | 17.2-r2-s11.x |
| juniper / junos | 17.2-r3-s3 | 17.2-r3-s3.x |
| juniper / junos | 17.3-r3-s7 | 17.3-r3-s7.x |
| juniper / junos | 17.3-r2-s4 | 17.3-r2-s4.x |
| juniper / junos | 17.3-r1-s1 | 17.3-r1-s1.x |
| juniper / junos | 17.3-r2-s3 | 17.3-r2-s3.x |
| juniper / junos | 17.3-r3-s4 | 17.3-r3-s4.x |
| juniper / junos | 17.3 | 17.3.x |
| juniper / junos | 17.3-r3 | 17.3-r3.x |
| juniper / junos | 17.3-r3-s3 | 17.3-r3-s3.x |
| juniper / junos | 17.3-r2-s1 | 17.3-r2-s1.x |
| juniper / junos | 17.3-r3-s1 | 17.3-r3-s1.x |
| juniper / junos | 17.3-r3-s2 | 17.3-r3-s2.x |
| juniper / junos | 17.3-r2-s2 | 17.3-r2-s2.x |
| juniper / junos | 17.3-r2 | 17.3-r2.x |
| juniper / junos | 17.4-r1 | 17.4-r1.x |
| juniper / junos | 17.4-r2 | 17.4-r2.x |
| juniper / junos | 17.4-r1-s1 | 17.4-r1-s1.x |
| juniper / junos | 17.4-r1-s2 | 17.4-r1-s2.x |
| juniper / junos | 17.4-r2-s2 | 17.4-r2-s2.x |
| juniper / junos | 17.4-r3 | 17.4-r3.x |
| juniper / junos | 17.4-r2-s1 | 17.4-r2-s1.x |
| juniper / junos | 17.4 | 17.4.x |
| juniper / junos | 17.4-r1-s5 | 17.4-r1-s5.x |
| juniper / junos | 17.4-r2-s3 | 17.4-r2-s3.x |
| juniper / junos | 17.4-r2-s4 | 17.4-r2-s4.x |
| juniper / junos | 17.4-r1-s6 | 17.4-r1-s6.x |
| juniper / junos | 17.4-r1-s7 | 17.4-r1-s7.x |
| juniper / junos | 17.4-r1-s4 | 17.4-r1-s4.x |
| juniper / junos | 17.4-r2-s5 | 17.4-r2-s5.x |
| juniper / junos | 17.4-r2-s6 | 17.4-r2-s6.x |
| juniper / junos | 17.4-r2-s7 | 17.4-r2-s7.x |
| juniper / junos | 17.4-r2-s8 | 17.4-r2-s8.x |
| juniper / junos | 17.4-r2-s10 | 17.4-r2-s10.x |
| juniper / junos | 18.1-r3-s9 | 18.1-r3-s9.x |
| juniper / junos | 18.1-r3-s8 | 18.1-r3-s8.x |
| juniper / junos | 18.1-r3-s6 | 18.1-r3-s6.x |
| juniper / junos | 18.1-r3-s7 | 18.1-r3-s7.x |
| juniper / junos | 18.1-r3-s1 | 18.1-r3-s1.x |
| juniper / junos | 18.1-r3-s4 | 18.1-r3-s4.x |
| juniper / junos | 18.1-r3-s3 | 18.1-r3-s3.x |
| juniper / junos | 18.1-r3-s2 | 18.1-r3-s2.x |
| juniper / junos | 18.1 | 18.1.x |
| juniper / junos | 18.1-r2-s1 | 18.1-r2-s1.x |
| juniper / junos | 18.1-r2-s4 | 18.1-r2-s4.x |
| juniper / junos | 18.1-r2-s2 | 18.1-r2-s2.x |
| juniper / junos | 18.1-r1 | 18.1-r1.x |
| juniper / junos | 18.1-r3 | 18.1-r3.x |
| juniper / junos | 18.1-r2 | 18.1-r2.x |
| juniper / junos | 18.2-r1 | 18.2-r1.x |
| juniper / junos | 18.2 | 18.2.x |
| juniper / junos | 18.2-r2-s1 | 18.2-r2-s1.x |
| juniper / junos | 18.2-r2-s2 | 18.2-r2-s2.x |
| juniper / junos | 18.2-r1-s3 | 18.2-r1-s3.x |
| juniper / junos | 18.2-r2-s3 | 18.2-r2-s3.x |
| juniper / junos | 18.2-r2-s4 | 18.2-r2-s4.x |
| juniper / junos | 18.2-r1-s4 | 18.2-r1-s4.x |
| juniper / junos | 18.2-r1-s5 | 18.2-r1-s5.x |
| juniper / junos | 18.2-r2 | 18.2-r2.x |
| juniper / junos | 18.2-r3-s2 | 18.2-r3-s2.x |
| juniper / junos | 18.2-r3-s1 | 18.2-r3-s1.x |
| juniper / junos | 18.2-r3 | 18.2-r3.x |
| juniper / junos | 18.2-r2-s5 | 18.2-r2-s5.x |
| juniper / junos | 18.2x75-d30 | 18.2x75-d30.x |
| juniper / junos | 18.2x75 | 18.2x75.x |
| juniper / junos | 18.2x75-d20 | 18.2x75-d20.x |
| juniper / junos | 18.3-r1-s2 | 18.3-r1-s2.x |
| juniper / junos | 18.3 | 18.3.x |
| juniper / junos | 18.3-r1-s3 | 18.3-r1-s3.x |
| juniper / junos | 18.3-r1-s1 | 18.3-r1-s1.x |
| juniper / junos | 18.3-r2 | 18.3-r2.x |
| juniper / junos | 18.3-r1 | 18.3-r1.x |
| juniper / junos | 18.3-r1-s6 | 18.3-r1-s6.x |
| juniper / junos | 18.3-r3 | 18.3-r3.x |
| juniper / junos | 18.3-r3-s1 | 18.3-r3-s1.x |
| juniper / junos | 18.3-r2-s3 | 18.3-r2-s3.x |
| juniper / junos | 18.3-r1-s5 | 18.3-r1-s5.x |
| juniper / junos | 18.3-r2-s1 | 18.3-r2-s1.x |
| juniper / junos | 18.3-r2-s2 | 18.3-r2-s2.x |
| juniper / junos | 18.4-r2-s1 | 18.4-r2-s1.x |
| juniper / junos | 18.4-r2 | 18.4-r2.x |
| juniper / junos | 18.4-r1-s5 | 18.4-r1-s5.x |
| juniper / junos | 18.4-r2-s3 | 18.4-r2-s3.x |
| juniper / junos | 18.4-r2-s2 | 18.4-r2-s2.x |
| juniper / junos | 18.4-r1 | 18.4-r1.x |
| juniper / junos | 18.4-r1-s1 | 18.4-r1-s1.x |
| juniper / junos | 18.4 | 18.4.x |
| juniper / junos | 18.4-r1-s2 | 18.4-r1-s2.x |
| juniper / junos | 19.1-r1 | 19.1-r1.x |
| juniper / junos | 19.1 | 19.1.x |
| juniper / junos | 19.1-r1-s1 | 19.1-r1-s1.x |
| juniper / junos | 19.1-r1-s3 | 19.1-r1-s3.x |
| juniper / junos | 19.1-r1-s2 | 19.1-r1-s2.x |
| juniper / junos | 19.1-r2 | 19.1-r2.x |
| juniper / junos | 19.2-r1-s1 | 19.2-r1-s1.x |
| juniper / junos | 19.2-r1-s2 | 19.2-r1-s2.x |
| juniper / junos | 19.2 | 19.2.x |
| juniper / junos | 19.2-r1 | 19.2-r1.x |
| juniper / junos | 19.3 | 19.3.x |
| juniper / junos | 19.3-r1 | 19.3-r1.x |
| juniper / junos | 19.3-r2 | 19.3-r2.x |
| juniper / junos | 19.3-r2-s1 | 19.3-r2-s1.x |
| juniper / junos | 19.3-r1-s1 | 19.3-r1-s1.x |