CVE-2022-22174

A vulnerability in the processing of inbound IPv6 packets in Juniper Networks Junos OS on QFX5000 Series and EX4600 switches may cause the memory to not be freed, leading to a packet DMA memory leak, and eventual Denial of Service (DoS) condition. Once the condition occurs, further packet processing will be impacted, creating a sustained Denial of Service (DoS) condition. The following error logs may be observed using the show heap command and the device may eventually run out of memory if such packets are received continuously. Jan 12 12:00:00 device-name fpc0 (buf alloc) failed allocating packet buffer Jan 12 12:00:01 device-name fpc0 (buf alloc) failed allocating packet buffer user@device-name> request pfe execute target fpc0 timeout 30 command show heap ID Base Total(b) Free(b) Used(b) % Name – ———- ———– ———– ———– — ———– 0 246fc1a8 536870488 353653752 183216736 34 Kernel 1 91800000 16777216 12069680 4707536 28 DMA 2 92800000 75497472 69997640 5499832 7 PKT DMA DESC 3 106fc000 335544320 221425960 114118360 34 Bcm_sdk 4 97000000 176160768 200 176160568 99 Packet DMA ««««««« 5 903fffe0 20971504 20971504 0 0 Blob This issue affects Juniper Networks Junos OS on QFX5000 Series, EX4600: 18.3R3 versions prior to 18.3R3-S6; 18.4 versions prior to 18.4R2-S9, 18.4R3-S9; 19.1 versions prior to 19.1R2-S3, 19.1R3-S7; 19.2 versions prior to 19.2R1-S8, 19.2R3-S3; 19.3 versions prior to 19.3R2-S7, 19.3R3-S4; 19.4 versions prior to 19.4R2-S5, 19.4R3-S6; 20.1 versions prior to 20.1R3-S1; 20.2 versions prior to 20.2R3-S2; 20.3 versions prior to 20.3R3-S1; 20.4 versions prior to 20.4R3; 21.1 versions prior to 21.1R2-S1, 21.1R3; 21.2 versions prior to 21.2R1-S1, 21.2R2. This issue does not affect Juniper Networks Junos OS: Any versions prior to 17.4R3; 18.1 versions prior to 18.1R3-S6; 18.2 versions prior to 18.2R3; 18.3 versions prior to 18.3R3; 18.4 versions prior to 18.4R2; 19.1 versions prior to 19.1R2.

Weakness

The product does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.

Affected Software

Name	Vendor	Start Version	End Version
Junos	Juniper	18.3	18.3
Junos	Juniper	18.3	18.3
Junos	Juniper	18.3	18.3
Junos	Juniper	18.3	18.3
Junos	Juniper	18.3	18.3
Junos	Juniper	18.3	18.3
Junos	Juniper	18.3	18.3
Junos	Juniper	18.3	18.3
Junos	Juniper	18.3	18.3
Junos	Juniper	18.3	18.3
Junos	Juniper	18.3	18.3
Junos	Juniper	18.3	18.3
Junos	Juniper	18.3	18.3
Junos	Juniper	18.3	18.3
Junos	Juniper	18.3	18.3
Junos	Juniper	18.3	18.3
Junos	Juniper	18.3	18.3
Junos	Juniper	18.3	18.3
Junos	Juniper	18.3	18.3
Junos	Juniper	18.4	18.4
Junos	Juniper	18.4	18.4
Junos	Juniper	18.4	18.4
Junos	Juniper	18.4	18.4
Junos	Juniper	18.4	18.4
Junos	Juniper	18.4	18.4
Junos	Juniper	18.4	18.4
Junos	Juniper	18.4	18.4
Junos	Juniper	18.4	18.4
Junos	Juniper	18.4	18.4
Junos	Juniper	18.4	18.4
Junos	Juniper	18.4	18.4
Junos	Juniper	18.4	18.4
Junos	Juniper	18.4	18.4
Junos	Juniper	18.4	18.4
Junos	Juniper	18.4	18.4
Junos	Juniper	18.4	18.4
Junos	Juniper	18.4	18.4
Junos	Juniper	18.4	18.4
Junos	Juniper	18.4	18.4
Junos	Juniper	18.4	18.4
Junos	Juniper	18.4	18.4
Junos	Juniper	18.4	18.4
Junos	Juniper	18.4	18.4
Junos	Juniper	18.4	18.4
Junos	Juniper	18.4	18.4
Junos	Juniper	18.4	18.4
Junos	Juniper	19.1	19.1
Junos	Juniper	19.1	19.1
Junos	Juniper	19.1	19.1
Junos	Juniper	19.1	19.1
Junos	Juniper	19.1	19.1
Junos	Juniper	19.1	19.1
Junos	Juniper	19.1	19.1
Junos	Juniper	19.1	19.1
Junos	Juniper	19.1	19.1
Junos	Juniper	19.1	19.1
Junos	Juniper	19.1	19.1
Junos	Juniper	19.1	19.1
Junos	Juniper	19.1	19.1
Junos	Juniper	19.1	19.1
Junos	Juniper	19.1	19.1
Junos	Juniper	19.1	19.1
Junos	Juniper	19.1	19.1
Junos	Juniper	19.1	19.1
Junos	Juniper	19.2	19.2
Junos	Juniper	19.2	19.2
Junos	Juniper	19.2	19.2
Junos	Juniper	19.2	19.2
Junos	Juniper	19.2	19.2
Junos	Juniper	19.2	19.2
Junos	Juniper	19.2	19.2
Junos	Juniper	19.2	19.2
Junos	Juniper	19.2	19.2
Junos	Juniper	19.2	19.2
Junos	Juniper	19.2	19.2
Junos	Juniper	19.2	19.2
Junos	Juniper	19.2	19.2
Junos	Juniper	19.3	19.3
Junos	Juniper	19.3	19.3
Junos	Juniper	19.3	19.3
Junos	Juniper	19.3	19.3
Junos	Juniper	19.3	19.3
Junos	Juniper	19.3	19.3
Junos	Juniper	19.3	19.3
Junos	Juniper	19.3	19.3
Junos	Juniper	19.3	19.3
Junos	Juniper	19.3	19.3
Junos	Juniper	19.3	19.3
Junos	Juniper	19.3	19.3
Junos	Juniper	19.3	19.3
Junos	Juniper	19.3	19.3
Junos	Juniper	19.4	19.4
Junos	Juniper	19.4	19.4
Junos	Juniper	19.4	19.4
Junos	Juniper	19.4	19.4
Junos	Juniper	19.4	19.4
Junos	Juniper	19.4	19.4
Junos	Juniper	19.4	19.4
Junos	Juniper	19.4	19.4
Junos	Juniper	19.4	19.4
Junos	Juniper	19.4	19.4
Junos	Juniper	19.4	19.4
Junos	Juniper	19.4	19.4
Junos	Juniper	19.4	19.4
Junos	Juniper	19.4	19.4
Junos	Juniper	19.4	19.4
Junos	Juniper	19.4	19.4
Junos	Juniper	19.4	19.4
Junos	Juniper	20.1	20.1
Junos	Juniper	20.1	20.1
Junos	Juniper	20.1	20.1
Junos	Juniper	20.1	20.1
Junos	Juniper	20.1	20.1
Junos	Juniper	20.1	20.1
Junos	Juniper	20.1	20.1
Junos	Juniper	20.1	20.1
Junos	Juniper	20.1	20.1
Junos	Juniper	20.1	20.1
Junos	Juniper	20.2	20.2
Junos	Juniper	20.2	20.2
Junos	Juniper	20.2	20.2
Junos	Juniper	20.2	20.2
Junos	Juniper	20.2	20.2
Junos	Juniper	20.2	20.2
Junos	Juniper	20.2	20.2
Junos	Juniper	20.2	20.2
Junos	Juniper	20.2	20.2
Junos	Juniper	20.2	20.2
Junos	Juniper	20.2	20.2
Junos	Juniper	20.3	20.3
Junos	Juniper	20.3	20.3
Junos	Juniper	20.3	20.3
Junos	Juniper	20.3	20.3
Junos	Juniper	20.3	20.3
Junos	Juniper	20.3	20.3
Junos	Juniper	20.4	20.4
Junos	Juniper	20.4	20.4
Junos	Juniper	20.4	20.4
Junos	Juniper	20.4	20.4
Junos	Juniper	20.4	20.4
Junos	Juniper	20.4	20.4
Junos	Juniper	21.1	21.1
Junos	Juniper	21.1	21.1
Junos	Juniper	21.1	21.1
Junos	Juniper	21.1	21.1
Junos	Juniper	21.2	21.2
Junos	Juniper	21.2	21.2

Potential Mitigations

Choose a language or tool that provides automatic memory management, or makes manual memory management less error-prone.
For example, glibc in Linux provides protection against free of invalid pointers.
When using Xcode to target OS X or iOS, enable automatic reference counting (ARC) [REF-391].
To help correctly and consistently manage memory when programming in C++, consider using a smart pointer class such as std::auto_ptr (defined by ISO/IEC ISO/IEC 14882:2003), std::shared_ptr and std::unique_ptr (specified by an upcoming revision of the C++ standard, informally referred to as C++ 1x), or equivalent solutions such as Boost.

References

https://kb.juniper.net/JSA11280

NVD	https://nvd.nist.gov/vuln/detail/CVE-2022-22174
CWE	https://cwe.mitre.org/data/definitions/401.html

Missing Release of Memory after Effective Lifetime

Weakness

Affected Software

Potential Mitigations

References