Juniper Junos OS DoS (JSA69873)

🗓️ 27 Oct 2022 00:00:00Reported by TenableType

The Juniper Junos OS on the remote host is vulnerable to DoS (JSA69873) due to improper validation of input, causing a Denial of Service (DoS) condition

Reporter	Title	Published	Views	Family All 9
CNNVD	Juniper Networks Junos OS 输入验证错误漏洞	12 Oct 202200:00	–	cnnvd
CVE	CVE-2022-22223	18 Oct 202202:46	–	cve
Cvelist	CVE-2022-22223 Junos OS: QFX10000 Series: In IP/MPLS PHP node scenarios upon receipt of certain crafted packets multiple interfaces in LAG configurations may detach.	18 Oct 202202:46	–	cvelist
EUVD	EUVD-2022-27370	3 Oct 202520:07	–	euvd
NCSC	Vulnerabilities fixed in Juniper Junos OS	8 Nov 202200:00	–	ncsc
NVD	CVE-2022-22223	18 Oct 202203:15	–	nvd
OSV	CVE-2022-22223	18 Oct 202203:15	–	osv
Prion	Input validation	18 Oct 202203:15	–	prion
Vulnrichment	CVE-2022-22223 Junos OS: QFX10000 Series: In IP/MPLS PHP node scenarios upon receipt of certain crafted packets multiple interfaces in LAG configurations may detach.	18 Oct 202202:46	–	vulnrichment

Source	Link
kb	www.kb.juniper.net/JSA69873
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#TRUSTED 2e8d66daa32cf3b53fc5bcd2760acdfcbd553ceb3cd4afe66e2eb67824ea44a7cea686bf7bea22321e8535f5f109c32aab610dadd16e997b3837b4b2192f5a2fa84a8a0795c1ed30f64c09317b9ced19c0db2474e9663f57079c27e44e8fb9705daae1e72a602d35cdb2222cc3a7191e41317362dea3f782d7fe43e9ee9aaabd322463d74d54fede13762a61feed3089d629f497c306f7dbb48c08e842d6af4df7702821abf845d165d29aaa1f5cc9b622d7786a084ff36138d9d606c7fec4c7d34348e84837480cdf5f9a59018c25734917e0a9a91642c808dc429567abdbd2bb7edd114d7076df7e954a899ef3f4b0f7e82c7aa350197e457a781d260c4e010b779e500103a80ab1ff511570be10cefb144d6139c602069feef8ce630a57755f1786cff76ad56fb272142c11587324db16ed9693dcde02ee659a5f9685ba07d79f3be2b3fb3736439c487699e1af5d699816536319b00a472b45d8c6264db869eb7e0dea55b4a008fd699e789a67b9cd7af08919a258c9dd3246b33daa5baafc13a97d85d6222f6f59d287218e330bea36c88c33e6b70cb31b47639921d2502faba94082d272c12cf90035e49da4fc67d04bc680bee444b0b003105c7ba65d795e43e2137277b9f97d6436f1ee171572c377fba3c16eaccb56a9b1cb7578e1243760750bfcc30772f425572f7e9e2edca0c28e79f325ae5ccfe899447b93d3
#TRUST-RSA-SHA256 5136c808e6211a3ddbc433d09e9b307bc587f69659e539575fa44501e31e7e88c1cac4eba216052bc82aea7895bd2ba33b44587519df35526f07bbc9b02208d51b44d4a09225cacaa9434cfdfd32bdc94a6fb8239102532ad2398fdf3642a1c58a72aeb4c0a57d19d98fdd29ac22b1639e72ed902820db9bcef5dd908be113dfbfda304e45e9fdfded678bb7ef88bac64739c54f41c60247e59717768d733566aa4a6f2e07f94df52e2c4868ac4589323bb7469a6a221c1db42434419e33b148ad830953d9682c98087a63a0b815238439c9f0e7afb84ebc6969d12c2e6827540e658c5a494dbbcfe878e22f3caa9c5b2120aa28eea6ed6f09f6eb0a947845f5c5711ef62727395e062fc5dd70b5fbcb50faef5b002093ba728f33f9e9aef6c2da0efcb109826b78e33021b523a5e6dc9bcaec9189a0b77bb5364c92b4f92d747da004bc713664f47461a4b40ed4f531645e51a42ff394c7bf08a6e8fa91a0a22a7b75e555be1e0f472a4c1524faaafb0a067c04b1a25d63a3e114165011c9d3e30fe733940d0ffcf0bf9b9fa5ab0b91933816ff56f695d25e91c51f6f6bd7cce156f1fe3c9424b1a5bcb05a10fa29c41f5d89416c1c002315c60eb2177f3879d3ae570d600083f8567167216bbda1af561fa3dd3f68a99f8bee1d130b24ab48dd92fc72335261b580096ed04d4bfb5cdaebac471d05c3503c2269a7364be67d
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(166604);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/04/22");

  script_cve_id("CVE-2022-22223");
  script_xref(name:"JSA", value:"JSA69873");

  script_name(english:"Juniper Junos OS DoS (JSA69873)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"The version of Junos OS installed on the remote host is affected by a denial of service (DoS) vulnerability. On 
QFX10000 Series devices using Juniper Networks Junos OS when configured as transit IP/MPLS penultimate hop popping 
(PHP) nodes with link aggregation group (LAG) interfaces, an Improper Validation of Specified Index, Position, or 
Offset in Input weakness allows an attacker sending certain IP packets to cause multiple interfaces in the LAG to 
detach causing a Denial of Service (DoS) condition as referenced in theJSA69873 advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://kb.juniper.net/JSA69873");
  script_set_attribute(attribute:"solution", value:
"Apply the relevant Junos software release referenced in Juniper advisory JSA69873");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-22223");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2022/10/12");
  script_set_attribute(attribute:"patch_publication_date", value:"2022/10/12");
  script_set_attribute(attribute:"plugin_publication_date", value:"2022/10/27");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:juniper:junos");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Junos Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2022-2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("junos_version.nasl");
  script_require_keys("Host/Juniper/JUNOS/Version", "Host/Juniper/model");

  exit(0);
}

include('junos.inc');
include('junos_kb_cmd_func.inc');

var ver = get_kb_item_or_exit('Host/Juniper/JUNOS/Version');
var model = get_kb_item_or_exit('Host/Juniper/model');

if (model !~ "^QFX(10K|100[0-9]{2})")
  audit(AUDIT_DEVICE_NOT_VULN, model);

var vuln_ranges = [
  {'min_ver':'18.4', 'fixed_ver':'18.4R2-S10'},
  {'min_ver':'18.4R3', 'fixed_ver':'18.4R3-S10'},
  {'min_ver':'19.1', 'fixed_ver':'19.1R3-S8'},
  {'min_ver':'19.2', 'fixed_ver':'19.2R3-S4'},
  {'min_ver':'19.3', 'fixed_ver':'19.3R3-S5'},
  {'min_ver':'19.4', 'fixed_ver':'19.4R2-S6'},
  {'min_ver':'19.4R3', 'fixed_ver':'19.4R3-S7'},
  {'min_ver':'20.1', 'fixed_ver':'20.1R3-S3'},
  {'min_ver':'20.2', 'fixed_ver':'20.2R3-S3'},
  {'min_ver':'20.3', 'fixed_ver':'20.3R3-S2'},
  {'min_ver':'20.4', 'fixed_ver':'20.4R3-S4'},
  {'min_ver':'21.1', 'fixed_ver':'21.1R3'},
  {'min_ver':'21.2', 'fixed_ver':'21.2R3-S3'},
  {'min_ver':'21.3', 'fixed_ver':'21.3R3-S1'}
];

# Only vuln when configured as transit IP/MPLS penultimate hop popping (PHP) nodes with link aggregation group (LAG) interfaces
var override = TRUE;
var buf = junos_command_kb_item(cmd:'show configuration | display set');
if (buf)
{
  override = FALSE;
  if (!preg(string:buf, pattern:"^interfaces .+ unit .+ family inet address", multiline:TRUE) ||
     !preg(string:buf, pattern:"^interfaces .+ unit .+ family mpls", multiline:TRUE) ||
     !preg(string:buf, pattern:"^protocols rsvp interface .+(\\n|$)", multiline:TRUE) ||
     !preg(string:buf, pattern:"^protocols mpls interface .+(\\n|$)", multiline:TRUE) ||
     !preg(string:buf, pattern:"^protocols ospf area .* interface .+(\\n|$)", multiline:TRUE))
    audit(AUDIT_HOST_NOT, 'running a vulnerable configuration');
}

var fix = junos_compare_range(target_version:ver, vuln_ranges:vuln_ranges);
if (empty_or_null(fix))
  audit(AUDIT_INST_VER_NOT_VULN, 'Junos OS', ver);
junos_report(ver:ver, fix:fix, override:override, severity:SECURITY_HOLE);

22 Apr 2026 00:00Current

7.2High risk

Vulners AI Score7.2

CVSS 3.16.5 - 7.5

EPSS0.0041

SSVC