CVE-2021-0289 - Vulnerability Details

CVE-2021-0289 - Junos OS: User-defined ARP Policer isn't applied on Aggregated Ethernet (AE) interface until firewall process is restarted

When user-defined ARP Policer is configured and applied on one or more Aggregated Ethernet (AE) interface units, a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability between the Device Control Daemon (DCD) and firewall process (dfwd) daemons of Juniper Networks Junos OS allows an attacker to bypass the user-defined ARP Policer. In this particular case the User ARP policer is replaced with default ARP policer. To review the desired ARP Policers and actual state one can run the command "show interfaces <> extensive" and review the output. See further details below. An example output is: show interfaces extensive | match policer Policer: Input: __default_arp_policer__ <<< incorrect if user ARP Policer was applied on an AE interface and the default ARP Policer is displayed Policer: Input: jtac-arp-ae5.317-inet-arp <<< correct if user ARP Policer was applied on an AE interface For all platforms, except SRX Series: This issue affects Juniper Networks Junos OS: All versions 5.6R1 and all later versions prior to 18.4 versions prior to 18.4R2-S9, 18.4R3-S9 with the exception of 15.1 versions 15.1R7-S10 and later versions; 19.4 versions prior to 19.4R3-S3; 20.1 versions prior to 20.1R3; 20.2 versions prior to 20.2R3-S2; 20.3 version 20.3R1 and later versions; 20.4 versions prior to 20.4R3; 21.1 versions prior to 21.1R2; This issue does not affect Juniper Networks Junos OS versions prior to 5.6R1. On SRX Series this issue affects Juniper Networks Junos OS: 18.4 versions prior to 18.4R2-S9, 18.4R3-S9; 19.4 versions prior to 19.4R3-S4; 20.1 versions prior to 20.1R3; 20.2 versions prior to 20.2R3-S2; 20.3 version 20.3R1 and later versions; 20.4 versions prior to 20.4R3; 21.1 versions prior to 21.1R2. This issue does not affect 18.4 versions prior to 18.4R1 on SRX Series. This issue does not affect Junos OS Evolved.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Adjacent Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00063.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Juniper Networks

Junos OS

affected

Version	Status	Constraints
`unspecified`	unaffected	< 5.6R1
`5.6R1`	affected	< 5.6*
`15.1`	affected	< 15.1R7-S10
`16.1R1`	affected	< 16.1*
`16.2R1`	affected	< 16.2*
`17.1R1`	affected	< 17.1*
`17.2R1`	affected	< 17.2*
`17.3R1`	affected	< 17.3*
`17.4R1`	affected	< 17.4*
`18.1R1`	affected	< 18.1*
`18.2R1`	affected	< 18.2*
`18.3R1`	affected	< 18.3*
`18.4`	affected	< 18.4R2-S9, 18.4R3-S9
`19.4`	affected	< 19.4R3-S3
`20.1`	affected	< 20.1R3
`20.2`	affected	< 20.2R3-S2
`20.3R1`	affected	< 20.3*
`20.4`	affected	< 20.4R3
`21.1`	affected	< 21.1R2

Juniper Networks

Junos OS

affected

Version	Status	Constraints
`18.4`	affected	< 18.4R2-S9, 18.4R3-S9
`19.4`	affected	< 19.4R3-S3
`20.1`	affected	< 20.1R3
`20.2`	unaffected	< 20.2R3-S2
`20.3R1`	affected	< 20.3*
`20.4`	affected	< 20.4R3
`21.1`	affected	< 21.1R2

Juniper Networks

Junos OS Evolved

affected

Version	Status	Constraints
`Any`	unaffected	—

Configuration 1 [-]

AND

OR	cpe:2.3:o:juniper:junos::::::::
	cpe:2.3:o:juniper:junos::::::::
	cpe:2.3:o:juniper:junos:5.6:r1::::::
	cpe:2.3:o:juniper:junos:18.4:-::::::
	cpe:2.3:o:juniper:junos:18.4:r1::::::
	cpe:2.3:o:juniper:junos:18.4:r1-s1::::::
	cpe:2.3:o:juniper:junos:18.4:r1-s2::::::
	cpe:2.3:o:juniper:junos:18.4:r1-s3::::::
	cpe:2.3:o:juniper:junos:18.4:r1-s4::::::
	cpe:2.3:o:juniper:junos:18.4:r1-s5::::::
	cpe:2.3:o:juniper:junos:18.4:r1-s6::::::
	cpe:2.3:o:juniper:junos:18.4:r1-s7::::::
	cpe:2.3:o:juniper:junos:18.4:r2::::::
	cpe:2.3:o:juniper:junos:18.4:r2-s1::::::
	cpe:2.3:o:juniper:junos:18.4:r2-s2::::::
	cpe:2.3:o:juniper:junos:18.4:r2-s3::::::
	cpe:2.3:o:juniper:junos:18.4:r2-s4::::::
	cpe:2.3:o:juniper:junos:18.4:r2-s5::::::
	cpe:2.3:o:juniper:junos:18.4:r2-s6::::::
	cpe:2.3:o:juniper:junos:18.4:r2-s7::::::
	cpe:2.3:o:juniper:junos:18.4:r2-s8::::::
	cpe:2.3:o:juniper:junos:18.4:r3::::::
	cpe:2.3:o:juniper:junos:18.4:r3-s1::::::
	cpe:2.3:o:juniper:junos:18.4:r3-s2::::::
	cpe:2.3:o:juniper:junos:18.4:r3-s3::::::
	cpe:2.3:o:juniper:junos:18.4:r3-s4::::::
	cpe:2.3:o:juniper:junos:18.4:r3-s5::::::
	cpe:2.3:o:juniper:junos:18.4:r3-s6::::::
	cpe:2.3:o:juniper:junos:18.4:r3-s7::::::
	cpe:2.3:o:juniper:junos:18.4:r3-s8::::::
	cpe:2.3:o:juniper:junos:19.4:r1::::::
	cpe:2.3:o:juniper:junos:19.4:r1-s1::::::
	cpe:2.3:o:juniper:junos:19.4:r1-s2::::::
	cpe:2.3:o:juniper:junos:19.4:r1-s3::::::
	cpe:2.3:o:juniper:junos:19.4:r2::::::
	cpe:2.3:o:juniper:junos:19.4:r2-s1::::::
	cpe:2.3:o:juniper:junos:19.4:r2-s2::::::
	cpe:2.3:o:juniper:junos:19.4:r2-s3::::::
	cpe:2.3:o:juniper:junos:19.4:r3::::::
	cpe:2.3:o:juniper:junos:19.4:r3-s1::::::
	cpe:2.3:o:juniper:junos:19.4:r3-s2::::::
	cpe:2.3:o:juniper:junos:20.1:r1::::::
	cpe:2.3:o:juniper:junos:20.1:r1-s1::::::
	cpe:2.3:o:juniper:junos:20.1:r1-s2::::::
	cpe:2.3:o:juniper:junos:20.1:r1-s3::::::
	cpe:2.3:o:juniper:junos:20.1:r1-s4::::::
	cpe:2.3:o:juniper:junos:20.1:r2::::::
	cpe:2.3:o:juniper:junos:20.1:r2-s1::::::
	cpe:2.3:o:juniper:junos:20.2:r1::::::
	cpe:2.3:o:juniper:junos:20.2:r1-s1::::::
	cpe:2.3:o:juniper:junos:20.2:r1-s2::::::
	cpe:2.3:o:juniper:junos:20.2:r1-s3::::::
	cpe:2.3:o:juniper:junos:20.2:r2::::::
	cpe:2.3:o:juniper:junos:20.2:r2-s1::::::
	cpe:2.3:o:juniper:junos:20.2:r2-s2::::::
	cpe:2.3:o:juniper:junos:20.2:r2-s3::::::
	cpe:2.3:o:juniper:junos:20.2:r3::::::
	cpe:2.3:o:juniper:junos:20.2:r3-s1::::::
	cpe:2.3:o:juniper:junos:20.4:r1::::::
	cpe:2.3:o:juniper:junos:20.4:r1-s1::::::
	cpe:2.3:o:juniper:junos:20.4:r2::::::
	cpe:2.3:o:juniper:junos:20.4:r2-s1::::::
	cpe:2.3:o:juniper:junos:21.1:r1::::::

OR	cpe:2.3:h:juniper:acx1000:-:::::::*
	cpe:2.3:h:juniper:acx1100:-:::::::*
	cpe:2.3:h:juniper:acx2000:-:::::::*
	cpe:2.3:h:juniper:acx2100:-:::::::*
	cpe:2.3:h:juniper:acx2200:-:::::::*
	cpe:2.3:h:juniper:acx4000:-:::::::*
	cpe:2.3:h:juniper:acx500:-:::::::*
	cpe:2.3:h:juniper:acx5000:-:::::::*
	cpe:2.3:h:juniper:acx5048:-:::::::*
	cpe:2.3:h:juniper:acx5096:-:::::::*
	cpe:2.3:h:juniper:acx5400:-:::::::*
	cpe:2.3:h:juniper:acx5448:-:::::::*
	cpe:2.3:h:juniper:acx5800:-:::::::*
	cpe:2.3:h:juniper:acx6300:-:::::::*
	cpe:2.3:h:juniper:acx6360:-:::::::*
	cpe:2.3:h:juniper:acx710:-:::::::*
	cpe:2.3:h:juniper:atp400:-:::::::*
	cpe:2.3:h:juniper:atp700:-:::::::*
	cpe:2.3:h:juniper:csrx:-:::::::*
	cpe:2.3:h:juniper:ctp150:-:::::::*
	cpe:2.3:h:juniper:ctp2008:-:::::::*
	cpe:2.3:h:juniper:ctp2024:-:::::::*
	cpe:2.3:h:juniper:ctp2056:-:::::::*
	cpe:2.3:h:juniper:dx:-:::::::*
	cpe:2.3:h:juniper:dx:5.1:::::::*
	cpe:2.3:h:juniper:ex_rps:-:::::::*
	cpe:2.3:h:juniper:ex2200:-:::::::*
	cpe:2.3:h:juniper:ex2200-c:-:::::::*
	cpe:2.3:h:juniper:ex2200-vc:-:::::::*
	cpe:2.3:h:juniper:ex2300:-:::::::*
	cpe:2.3:h:juniper:ex2300-c:-:::::::*
	cpe:2.3:h:juniper:ex2300m:-:::::::*
	cpe:2.3:h:juniper:ex3200:-:::::::*
	cpe:2.3:h:juniper:ex3300:-:::::::*
	cpe:2.3:h:juniper:ex3300-vc:-:::::::*
	cpe:2.3:h:juniper:ex3400:-:::::::*
	cpe:2.3:h:juniper:ex4200:-:::::::*
	cpe:2.3:h:juniper:ex4200-vc:-:::::::*
	cpe:2.3:h:juniper:ex4300:-:::::::*
	cpe:2.3:h:juniper:ex4300-24p:-:::::::*
	cpe:2.3:h:juniper:ex4300-24p-s:-:::::::*
	cpe:2.3:h:juniper:ex4300-24t:-:::::::*
	cpe:2.3:h:juniper:ex4300-24t-s:-:::::::*
	cpe:2.3:h:juniper:ex4300-32f:-:::::::*
	cpe:2.3:h:juniper:ex4300-32f-dc:-:::::::*
	cpe:2.3:h:juniper:ex4300-32f-s:-:::::::*
	cpe:2.3:h:juniper:ex4300-48mp:-:::::::*
	cpe:2.3:h:juniper:ex4300-48mp-s:-:::::::*
	cpe:2.3:h:juniper:ex4300-48p:-:::::::*
	cpe:2.3:h:juniper:ex4300-48p-s:-:::::::*
	cpe:2.3:h:juniper:ex4300-48t:-:::::::*
	cpe:2.3:h:juniper:ex4300-48t-afi:-:::::::*
	cpe:2.3:h:juniper:ex4300-48t-dc:-:::::::*
	cpe:2.3:h:juniper:ex4300-48t-dc-afi:-:::::::*
	cpe:2.3:h:juniper:ex4300-48t-s:-:::::::*
	cpe:2.3:h:juniper:ex4300-48tafi:-:::::::*
	cpe:2.3:h:juniper:ex4300-48tdc:-:::::::*
	cpe:2.3:h:juniper:ex4300-48tdc-afi:-:::::::*
	cpe:2.3:h:juniper:ex4300-mp:-:::::::*
	cpe:2.3:h:juniper:ex4300-vc:-:::::::*
	cpe:2.3:h:juniper:ex4300m:-:::::::*
	cpe:2.3:h:juniper:ex4400:-:::::::*
	cpe:2.3:h:juniper:ex4500:-:::::::*
	cpe:2.3:h:juniper:ex4500-vc:-:::::::*
cpe:2.3:h:juniper:ex4550:-:::::::*
cpe:2.3:h:juniper:ex4550-vc:-:::::::*
cpe:2.3:h:juniper:ex4550\/vc:-:::::::*
cpe:2.3:h:juniper:ex4600:-:::::::*
cpe:2.3:h:juniper:ex4600-vc:-:::::::*
cpe:2.3:h:juniper:ex4650:-:::::::*
cpe:2.3:h:juniper:ex6200:-:::::::*
cpe:2.3:h:juniper:ex6210:-:::::::*
cpe:2.3:h:juniper:ex8200:-:::::::*
cpe:2.3:h:juniper:ex8200-vc:-:::::::*
cpe:2.3:h:juniper:ex8208:-:::::::*
cpe:2.3:h:juniper:ex8216:-:::::::*
cpe:2.3:h:juniper:ex9200:-:::::::*
cpe:2.3:h:juniper:ex9204:-:::::::*
cpe:2.3:h:juniper:ex9208:-:::::::*
cpe:2.3:h:juniper:ex9214:-:::::::*
cpe:2.3:h:juniper:ex9250:-:::::::*
cpe:2.3:h:juniper:ex9251:-:::::::*
cpe:2.3:h:juniper:ex9253:-:::::::*
cpe:2.3:h:juniper:fips_infranet_controller_6500:-:::::::*
cpe:2.3:h:juniper:fips_secure_access_4000:-:::::::*
cpe:2.3:h:juniper:fips_secure_access_4500:-:::::::*
cpe:2.3:h:juniper:fips_secure_access_6000:-:::::::*
cpe:2.3:h:juniper:fips_secure_access_6500:-:::::::*
cpe:2.3:h:juniper:gfx3600:-:::::::*
cpe:2.3:h:juniper:idp250:-:::::::*
cpe:2.3:h:juniper:idp75:-:::::::*
cpe:2.3:h:juniper:idp800:-:::::::*
cpe:2.3:h:juniper:idp8200:-:::::::*
cpe:2.3:h:juniper:infranet_controller_4000:-:::::::*
cpe:2.3:h:juniper:infranet_controller_4500:-:::::::*
cpe:2.3:h:juniper:infranet_controller_6000:-:::::::*
cpe:2.3:h:juniper:infranet_controller_6500:-:::::::*
cpe:2.3:h:juniper:jatp:400:::::::*
cpe:2.3:h:juniper:jatp:700:::::::*
cpe:2.3:h:juniper:junos:-:::::::*
cpe:2.3:h:juniper:junos_space_ja1500_appliance:-:::::::*
cpe:2.3:h:juniper:junos_space_ja2500_appliance:-:::::::*
cpe:2.3:h:juniper:ln1000:-:::::::*
cpe:2.3:h:juniper:ln2600:-:::::::*
cpe:2.3:h:juniper:m10i:-:::::::*
cpe:2.3:h:juniper:m120:-:::::::*
cpe:2.3:h:juniper:m320:-:::::::*
cpe:2.3:h:juniper:m7i:-:::::::*
cpe:2.3:h:juniper:mag2600_gateway:-:::::::*
cpe:2.3:h:juniper:mag4610_gateway:-:::::::*
cpe:2.3:h:juniper:mag6610_gateway:-:::::::*
cpe:2.3:h:juniper:mag6611_gateway:-:::::::*
cpe:2.3:h:juniper:mx:-:::::::*
cpe:2.3:h:juniper:mx10:-:::::::*
cpe:2.3:h:juniper:mx10000:-:::::::*
cpe:2.3:h:juniper:mx10003:-:::::::*
cpe:2.3:h:juniper:mx10008:-:::::::*
cpe:2.3:h:juniper:mx10016:-:::::::*
cpe:2.3:h:juniper:mx104:-:::::::*
cpe:2.3:h:juniper:mx150:-:::::::*
cpe:2.3:h:juniper:mx2008:-:::::::*
cpe:2.3:h:juniper:mx2010:-:::::::*
cpe:2.3:h:juniper:mx2020:-:::::::*
cpe:2.3:h:juniper:mx204:-:::::::*
cpe:2.3:h:juniper:mx240:-:::::::*
cpe:2.3:h:juniper:mx40:-:::::::*
cpe:2.3:h:juniper:mx480:-:::::::*
cpe:2.3:h:juniper:mx5:-:::::::*
cpe:2.3:h:juniper:mx80:-:::::::*
cpe:2.3:h:juniper:mx960:-:::::::*
cpe:2.3:h:juniper:netscreen-5200:-:::::::*
cpe:2.3:h:juniper:netscreen-5400:-:::::::*
cpe:2.3:h:juniper:netscreen-5gt:-:::::::*
cpe:2.3:h:juniper:netscreen-5gt:5.0:::::::*
cpe:2.3:h:juniper:netscreen-idp:3.0:::::::*
cpe:2.3:h:juniper:netscreen-idp:3.0r1:::::::*
cpe:2.3:h:juniper:netscreen-idp:3.0r2:::::::*
cpe:2.3:h:juniper:netscreen-idp_10:-:::::::*
cpe:2.3:h:juniper:netscreen-idp_100:-:::::::*
cpe:2.3:h:juniper:netscreen-idp_1000:-:::::::*
cpe:2.3:h:juniper:netscreen-idp_500:-:::::::*
cpe:2.3:h:juniper:nfx:-:::::::*
cpe:2.3:h:juniper:nfx150:-:::::::*
cpe:2.3:h:juniper:nfx250:-:::::::*
cpe:2.3:h:juniper:nfx350:-:::::::*
cpe:2.3:h:juniper:nsm3000:-:::::::*
cpe:2.3:h:juniper:nsmexpress:-:::::::*
cpe:2.3:h:juniper:ocx1100:-:::::::*
cpe:2.3:h:juniper:ptx1000:-:::::::*
cpe:2.3:h:juniper:ptx1000-72q:-:::::::*
cpe:2.3:h:juniper:ptx10000:-:::::::*
cpe:2.3:h:juniper:ptx10001:-:::::::*
cpe:2.3:h:juniper:ptx10001-36mr:-:::::::*
cpe:2.3:h:juniper:ptx100016:-:::::::*
cpe:2.3:h:juniper:ptx10002:-:::::::*
cpe:2.3:h:juniper:ptx10002-60c:-:::::::*
cpe:2.3:h:juniper:ptx10003:-:::::::*
cpe:2.3:h:juniper:ptx10003_160c:-:::::::*
cpe:2.3:h:juniper:ptx10003_80c:-:::::::*
cpe:2.3:h:juniper:ptx10003_81cd:-:::::::*
cpe:2.3:h:juniper:ptx10004:-:::::::*
cpe:2.3:h:juniper:ptx10008:-:::::::*
cpe:2.3:h:juniper:ptx10016:-:::::::*
cpe:2.3:h:juniper:ptx3000:-:::::::*
cpe:2.3:h:juniper:ptx5000:-:::::::*
cpe:2.3:h:juniper:qfx10000:-:::::::*
cpe:2.3:h:juniper:qfx10002:-:::::::*
cpe:2.3:h:juniper:qfx10002-32q:-:::::::*
cpe:2.3:h:juniper:qfx10002-60c:-:::::::*
cpe:2.3:h:juniper:qfx10002-72q:-:::::::*
cpe:2.3:h:juniper:qfx10008:-:::::::*
cpe:2.3:h:juniper:qfx10016:-:::::::*
cpe:2.3:h:juniper:qfx3000-g:-:::::::*
cpe:2.3:h:juniper:qfx3000-m:-:::::::*
cpe:2.3:h:juniper:qfx3008-i:-:::::::*
cpe:2.3:h:juniper:qfx3100:-:::::::*
cpe:2.3:h:juniper:qfx3500:-:::::::*
cpe:2.3:h:juniper:qfx3600:-:::::::*
cpe:2.3:h:juniper:qfx3600-i:-:::::::*
cpe:2.3:h:juniper:qfx5100:-:::::::*
cpe:2.3:h:juniper:qfx5100-96s:-:::::::*
cpe:2.3:h:juniper:qfx5110:-:::::::*
cpe:2.3:h:juniper:qfx5120:-:::::::*
cpe:2.3:h:juniper:qfx5130:-:::::::*
cpe:2.3:h:juniper:qfx5200:-:::::::*
cpe:2.3:h:juniper:qfx5200-32c:-:::::::*
cpe:2.3:h:juniper:qfx5200-48y:-:::::::*
cpe:2.3:h:juniper:qfx5210:-:::::::*
cpe:2.3:h:juniper:qfx5210-64c:-:::::::*
cpe:2.3:h:juniper:qfx5220:-:::::::*
cpe:2.3:h:juniper:router_m10:-:::::::*
cpe:2.3:h:juniper:router_m16:-:::::::*
cpe:2.3:h:juniper:router_m20:-:::::::*
cpe:2.3:h:juniper:router_m40:-:::::::*
cpe:2.3:h:juniper:router_m5:-:::::::*
cpe:2.3:h:juniper:secure_access_2000:-:::::::*
cpe:2.3:h:juniper:secure_access_2500:-:::::::*
cpe:2.3:h:juniper:secure_access_4000:-:::::::*
cpe:2.3:h:juniper:secure_access_4500:-:::::::*
cpe:2.3:h:juniper:secure_access_6000:-:::::::*
cpe:2.3:h:juniper:secure_access_6500:-:::::::*
cpe:2.3:h:juniper:secure_access_700:-:::::::*
cpe:2.3:h:juniper:t1600:-:::::::*
cpe:2.3:h:juniper:t320:-:::::::*
cpe:2.3:h:juniper:t4000:-:::::::*
cpe:2.3:h:juniper:t640:-:::::::*
cpe:2.3:h:juniper:xre200:-:::::::*

Configuration 2 [-]

AND

OR	cpe:2.3:o:juniper:junos:18.4:-::::::
	cpe:2.3:o:juniper:junos:18.4:r1::::::
	cpe:2.3:o:juniper:junos:18.4:r1-s1::::::
	cpe:2.3:o:juniper:junos:18.4:r1-s2::::::
	cpe:2.3:o:juniper:junos:18.4:r1-s3::::::
	cpe:2.3:o:juniper:junos:18.4:r1-s4::::::
	cpe:2.3:o:juniper:junos:18.4:r1-s5::::::
	cpe:2.3:o:juniper:junos:18.4:r1-s6::::::
	cpe:2.3:o:juniper:junos:18.4:r1-s7::::::
	cpe:2.3:o:juniper:junos:18.4:r2::::::
	cpe:2.3:o:juniper:junos:18.4:r2-s1::::::
	cpe:2.3:o:juniper:junos:18.4:r2-s2::::::
	cpe:2.3:o:juniper:junos:18.4:r2-s3::::::
	cpe:2.3:o:juniper:junos:18.4:r2-s4::::::
	cpe:2.3:o:juniper:junos:18.4:r2-s5::::::
	cpe:2.3:o:juniper:junos:18.4:r2-s6::::::
	cpe:2.3:o:juniper:junos:18.4:r2-s7::::::
	cpe:2.3:o:juniper:junos:18.4:r2-s8::::::
	cpe:2.3:o:juniper:junos:18.4:r3::::::
	cpe:2.3:o:juniper:junos:18.4:r3-s1::::::
	cpe:2.3:o:juniper:junos:18.4:r3-s2::::::
	cpe:2.3:o:juniper:junos:18.4:r3-s3::::::
	cpe:2.3:o:juniper:junos:18.4:r3-s4::::::
	cpe:2.3:o:juniper:junos:18.4:r3-s5::::::
	cpe:2.3:o:juniper:junos:18.4:r3-s6::::::
	cpe:2.3:o:juniper:junos:18.4:r3-s7::::::
	cpe:2.3:o:juniper:junos:18.4:r3-s8::::::
	cpe:2.3:o:juniper:junos:19.4:r1::::::
	cpe:2.3:o:juniper:junos:19.4:r1-s1::::::
	cpe:2.3:o:juniper:junos:19.4:r1-s2::::::
	cpe:2.3:o:juniper:junos:19.4:r1-s3::::::
	cpe:2.3:o:juniper:junos:19.4:r2::::::
	cpe:2.3:o:juniper:junos:19.4:r2-s1::::::
	cpe:2.3:o:juniper:junos:19.4:r2-s2::::::
	cpe:2.3:o:juniper:junos:19.4:r2-s3::::::
	cpe:2.3:o:juniper:junos:19.4:r3::::::
	cpe:2.3:o:juniper:junos:19.4:r3-s1::::::
	cpe:2.3:o:juniper:junos:19.4:r3-s2::::::
	cpe:2.3:o:juniper:junos:19.4:r3-s3::::::
	cpe:2.3:o:juniper:junos:20.1:r1::::::
	cpe:2.3:o:juniper:junos:20.1:r1-s1::::::
	cpe:2.3:o:juniper:junos:20.1:r1-s2::::::
	cpe:2.3:o:juniper:junos:20.1:r1-s3::::::
	cpe:2.3:o:juniper:junos:20.1:r1-s4::::::
	cpe:2.3:o:juniper:junos:20.1:r2::::::
	cpe:2.3:o:juniper:junos:20.1:r2-s1::::::
	cpe:2.3:o:juniper:junos:20.2:r1::::::
	cpe:2.3:o:juniper:junos:20.2:r1-s1::::::
	cpe:2.3:o:juniper:junos:20.2:r1-s2::::::
	cpe:2.3:o:juniper:junos:20.2:r1-s3::::::
	cpe:2.3:o:juniper:junos:20.2:r2::::::
	cpe:2.3:o:juniper:junos:20.2:r2-s1::::::
	cpe:2.3:o:juniper:junos:20.2:r2-s2::::::
	cpe:2.3:o:juniper:junos:20.2:r2-s3::::::
	cpe:2.3:o:juniper:junos:20.2:r3::::::
	cpe:2.3:o:juniper:junos:20.2:r3-s1::::::
	cpe:2.3:o:juniper:junos:20.3:r1::::::
	cpe:2.3:o:juniper:junos:20.3:r1-s1::::::
	cpe:2.3:o:juniper:junos:20.3:r2::::::
	cpe:2.3:o:juniper:junos:20.4:r1::::::
	cpe:2.3:o:juniper:junos:20.4:r1-s1::::::
	cpe:2.3:o:juniper:junos:21.1:r1-s1::::::

OR	cpe:2.3:h:juniper:srx100:-:::::::*
	cpe:2.3:h:juniper:srx110:-:::::::*
	cpe:2.3:h:juniper:srx1400:-:::::::*
	cpe:2.3:h:juniper:srx1500:-:::::::*
	cpe:2.3:h:juniper:srx210:-:::::::*
	cpe:2.3:h:juniper:srx220:-:::::::*
	cpe:2.3:h:juniper:srx240:-:::::::*
	cpe:2.3:h:juniper:srx240h2:-:::::::*
	cpe:2.3:h:juniper:srx300:-:::::::*
	cpe:2.3:h:juniper:srx320:-:::::::*
	cpe:2.3:h:juniper:srx340:-:::::::*
	cpe:2.3:h:juniper:srx3400:-:::::::*
	cpe:2.3:h:juniper:srx345:-:::::::*
	cpe:2.3:h:juniper:srx3600:-:::::::*
	cpe:2.3:h:juniper:srx380:-:::::::*
	cpe:2.3:h:juniper:srx4000:-:::::::*
	cpe:2.3:h:juniper:srx4100:-:::::::*
	cpe:2.3:h:juniper:srx4200:-:::::::*
	cpe:2.3:h:juniper:srx4600:-:::::::*
	cpe:2.3:h:juniper:srx5000:-:::::::*
	cpe:2.3:h:juniper:srx5400:-:::::::*
	cpe:2.3:h:juniper:srx550:-:::::::*
	cpe:2.3:h:juniper:srx550_hm:-:::::::*
	cpe:2.3:h:juniper:srx550m:-:::::::*
	cpe:2.3:h:juniper:srx5600:-:::::::*
	cpe:2.3:h:juniper:srx5800:-:::::::*
	cpe:2.3:h:juniper:srx650:-:::::::*

No data.

Project Subscriptions

Vendors	Products
Juniper Subscribe	Acx1000 Subscribe Acx1100 Subscribe Acx2000 Subscribe Acx2100 Subscribe Acx2200 Subscribe Acx4000 Subscribe Acx500 Subscribe Acx5000 Subscribe Acx5048 Subscribe Acx5096 Subscribe Acx5400 Subscribe Acx5448 Subscribe Acx5800 Subscribe Acx6300 Subscribe Acx6360 Subscribe Acx710 Subscribe Atp400 Subscribe Atp700 Subscribe Csrx Subscribe Ctp150 Subscribe Ctp2008 Subscribe Ctp2024 Subscribe Ctp2056 Subscribe Dx Subscribe Ex2200 Subscribe Ex2200-c Subscribe Ex2200-vc Subscribe Ex2300 Subscribe Ex2300-c Subscribe Ex2300m Subscribe Ex3200 Subscribe Ex3300 Subscribe Ex3300-vc Subscribe Ex3400 Subscribe Ex4200 Subscribe Ex4200-vc Subscribe Ex4300 Subscribe Ex4300-24p Subscribe Ex4300-24p-s Subscribe Ex4300-24t Subscribe Ex4300-24t-s Subscribe Ex4300-32f Subscribe Ex4300-32f-dc Subscribe Ex4300-32f-s Subscribe Ex4300-48mp Subscribe Ex4300-48mp-s Subscribe Ex4300-48p Subscribe Ex4300-48p-s Subscribe Ex4300-48t Subscribe Ex4300-48t-afi Subscribe Ex4300-48t-dc Subscribe Ex4300-48t-dc-afi Subscribe Ex4300-48t-s Subscribe Ex4300-48tafi Subscribe Ex4300-48tdc Subscribe Ex4300-48tdc-afi Subscribe Ex4300-mp Subscribe Ex4300-vc Subscribe Ex4300m Subscribe Ex4400 Subscribe Ex4500 Subscribe Ex4500-vc Subscribe Ex4550 Subscribe Ex4550-vc Subscribe Ex4550\/vc Subscribe Ex4600 Subscribe Ex4600-vc Subscribe Ex4650 Subscribe Ex6200 Subscribe Ex6210 Subscribe Ex8200 Subscribe Ex8200-vc Subscribe Ex8208 Subscribe Ex8216 Subscribe Ex9200 Subscribe Ex9204 Subscribe Ex9208 Subscribe Ex9214 Subscribe Ex9250 Subscribe Ex9251 Subscribe Ex9253 Subscribe Ex Rps Subscribe Fips Infranet Controller 6500 Subscribe Fips Secure Access 4000 Subscribe Fips Secure Access 4500 Subscribe Fips Secure Access 6000 Subscribe Fips Secure Access 6500 Subscribe Gfx3600 Subscribe Idp250 Subscribe Idp75 Subscribe Idp800 Subscribe Idp8200 Subscribe Infranet Controller 4000 Subscribe Infranet Controller 4500 Subscribe Infranet Controller 6000 Subscribe Infranet Controller 6500 Subscribe Jatp Subscribe Junos Subscribe Junos Space Ja1500 Appliance Subscribe Junos Space Ja2500 Appliance Subscribe Ln1000 Subscribe Ln2600 Subscribe M10i Subscribe M120 Subscribe M320 Subscribe M7i Subscribe Mag2600 Gateway Subscribe Mag4610 Gateway Subscribe Mag6610 Gateway Subscribe Mag6611 Gateway Subscribe Mx Subscribe Mx10 Subscribe Mx10000 Subscribe Mx10003 Subscribe Mx10008 Subscribe Mx10016 Subscribe Mx104 Subscribe Mx150 Subscribe Mx2008 Subscribe Mx2010 Subscribe Mx2020 Subscribe Mx204 Subscribe Mx240 Subscribe Mx40 Subscribe Mx480 Subscribe Mx5 Subscribe Mx80 Subscribe Mx960 Subscribe Netscreen-5200 Subscribe Netscreen-5400 Subscribe Netscreen-5gt Subscribe Netscreen-idp Subscribe Netscreen-idp 10 Subscribe Netscreen-idp 100 Subscribe Netscreen-idp 1000 Subscribe Netscreen-idp 500 Subscribe Nfx Subscribe Nfx150 Subscribe Nfx250 Subscribe Nfx350 Subscribe Nsm3000 Subscribe Nsmexpress Subscribe Ocx1100 Subscribe Ptx1000 Subscribe Ptx1000-72q Subscribe Ptx10000 Subscribe Ptx10001 Subscribe Ptx10001-36mr Subscribe Ptx100016 Subscribe Ptx10002 Subscribe Ptx10002-60c Subscribe Ptx10003 Subscribe Ptx10003 160c Subscribe Ptx10003 80c Subscribe Ptx10003 81cd Subscribe Ptx10004 Subscribe Ptx10008 Subscribe Ptx10016 Subscribe Ptx3000 Subscribe Ptx5000 Subscribe Qfx10000 Subscribe Qfx10002 Subscribe Qfx10002-32q Subscribe Qfx10002-60c Subscribe Qfx10002-72q Subscribe Qfx10008 Subscribe Qfx10016 Subscribe Qfx3000-g Subscribe Qfx3000-m Subscribe Qfx3008-i Subscribe Qfx3100 Subscribe Qfx3500 Subscribe Qfx3600 Subscribe Qfx3600-i Subscribe Qfx5100 Subscribe Qfx5100-96s Subscribe Qfx5110 Subscribe Qfx5120 Subscribe Qfx5130 Subscribe Qfx5200 Subscribe Qfx5200-32c Subscribe Qfx5200-48y Subscribe Qfx5210 Subscribe Qfx5210-64c Subscribe Qfx5220 Subscribe Router M10 Subscribe Router M16 Subscribe Router M20 Subscribe Router M40 Subscribe Router M5 Subscribe Secure Access 2000 Subscribe Secure Access 2500 Subscribe Secure Access 4000 Subscribe Secure Access 4500 Subscribe Secure Access 6000 Subscribe Secure Access 6500 Subscribe Secure Access 700 Subscribe Srx100 Subscribe Srx110 Subscribe Srx1400 Subscribe Srx1500 Subscribe Srx210 Subscribe Srx220 Subscribe Srx240 Subscribe Srx240h2 Subscribe Srx300 Subscribe Srx320 Subscribe Srx340 Subscribe Srx3400 Subscribe Srx345 Subscribe Srx3600 Subscribe Srx380 Subscribe Srx4000 Subscribe Srx4100 Subscribe Srx4200 Subscribe Srx4600 Subscribe Srx5000 Subscribe Srx5400 Subscribe Srx550 Subscribe Srx550 Hm Subscribe Srx550m Subscribe Srx5600 Subscribe Srx5800 Subscribe Srx650 Subscribe T1600 Subscribe T320 Subscribe T4000 Subscribe T640 Subscribe Xre200 Subscribe

Advisories

Source	ID	Title
EUVD	EUVD-2021-2908	When user-defined ARP Policer is configured and applied on one or more Aggregated Ethernet (AE) interface units, a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability between the Device Control Daemon (DCD) and firewall process (dfwd) daemons of Juniper Networks Junos OS allows an attacker to bypass the user-defined ARP Policer. In this particular case the User ARP policer is replaced with default ARP policer. To review the desired ARP Policers and actual state one can run the command "show interfaces <> extensive" and review the output. See further details below. An example output is: show interfaces extensive \| match policer Policer: Input: __default_arp_policer__ <<< incorrect if user ARP Policer was applied on an AE interface and the default ARP Policer is displayed Policer: Input: jtac-arp-ae5.317-inet-arp <<< correct if user ARP Policer was applied on an AE interface For all platforms, except SRX Series: This issue affects Juniper Networks Junos OS: All versions 5.6R1 and all later versions prior to 18.4 versions prior to 18.4R2-S9, 18.4R3-S9 with the exception of 15.1 versions 15.1R7-S10 and later versions; 19.4 versions prior to 19.4R3-S3; 20.1 versions prior to 20.1R3; 20.2 versions prior to 20.2R3-S2; 20.3 version 20.3R1 and later versions; 20.4 versions prior to 20.4R3; 21.1 versions prior to 21.1R2; This issue does not affect Juniper Networks Junos OS versions prior to 5.6R1. On SRX Series this issue affects Juniper Networks Junos OS: 18.4 versions prior to 18.4R2-S9, 18.4R3-S9; 19.4 versions prior to 19.4R3-S4; 20.1 versions prior to 20.1R3; 20.2 versions prior to 20.2R3-S2; 20.3 version 20.3R1 and later versions; 20.4 versions prior to 20.4R3; 21.1 versions prior to 21.1R2. This issue does not affect 18.4 versions prior to 18.4R1 on SRX Series. This issue does not affect Junos OS Evolved.

Fixes

Solution

The following software releases have been updated to resolve this specific issue: For all platforms, except SRX Series, using Junos OS 15.1R7-S10, 18.4R2-S9, 18.4R3-S9, 19.4R3-S4, 20.1R3, 20.2R3-S2, 20.4R3, 21.1R2, 21.2R1, and all subsequent releases. On SRX series using Junos OS 18.4R2-S9, 18.4R3-S9, 19.4R3-S4. 20.1R3, 20.4R3, 21.1R2, 21.2R1, and all subsequent releases.

Workaround

There is no workaround for this issue. If affected by this issue, to recover from its impact, restart the firewall process to update the ARP Policer on the AE interface unit(s). From the CLI issue: cli> restart firewall Note: no side effects on firewall restart shall be seen when issuing this command.

References

Link	Providers
https://kb.juniper.net/JSA11191

History

No history.

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: juniper

Published: 2021-07-15T20:01:05.615580Z

Updated: 2024-09-17T03:48:59.800Z

Reserved: 2020-10-27T00:00:00

Link: CVE-2021-0289

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-07-15T20:15:10.563

Modified: 2024-11-21T05:42:24.760

Link: CVE-2021-0289

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-367

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Adjacent Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Project Subscriptions

Projects

JSON object

JSON object

JSON object

JSON object

JSON object