CVE-2021-0289 - Vulnerability Details

- Junos OS: User-defined ARP Policer isn't applied on Aggregated Ethernet (AE) interface until firewall process is restarted

Description

When user-defined ARP Policer is configured and applied on one or more Aggregated Ethernet (AE) interface units, a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability between the Device Control Daemon (DCD) and firewall process (dfwd) daemons of Juniper Networks Junos OS allows an attacker to bypass the user-defined ARP Policer. In this particular case the User ARP policer is replaced with default ARP policer. To review the desired ARP Policers and actual state one can run the command "show interfaces <> extensive" and review the output. See further details below. An example output is: show interfaces extensive | match policer Policer: Input: __default_arp_policer__ <<< incorrect if user ARP Policer was applied on an AE interface and the default ARP Policer is displayed Policer: Input: jtac-arp-ae5.317-inet-arp <<< correct if user ARP Policer was applied on an AE interface For all platforms, except SRX Series: This issue affects Juniper Networks Junos OS: All versions 5.6R1 and all later versions prior to 18.4 versions prior to 18.4R2-S9, 18.4R3-S9 with the exception of 15.1 versions 15.1R7-S10 and later versions; 19.4 versions prior to 19.4R3-S3; 20.1 versions prior to 20.1R3; 20.2 versions prior to 20.2R3-S2; 20.3 version 20.3R1 and later versions; 20.4 versions prior to 20.4R3; 21.1 versions prior to 21.1R2; This issue does not affect Juniper Networks Junos OS versions prior to 5.6R1. On SRX Series this issue affects Juniper Networks Junos OS: 18.4 versions prior to 18.4R2-S9, 18.4R3-S9; 19.4 versions prior to 19.4R3-S4; 20.1 versions prior to 20.1R3; 20.2 versions prior to 20.2R3-S2; 20.3 version 20.3R1 and later versions; 20.4 versions prior to 20.4R3; 21.1 versions prior to 21.1R2. This issue does not affect 18.4 versions prior to 18.4R1 on SRX Series. This issue does not affect Junos OS Evolved.

Published: 2021-07-15

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Juniper Networks

Junos OS

affected

Version	Status	Constraints
`unspecified`	unaffected	< 5.6R1
`5.6R1`	affected	< 5.6*
`15.1`	affected	< 15.1R7-S10
`16.1R1`	affected	< 16.1*
`16.2R1`	affected	< 16.2*
`17.1R1`	affected	< 17.1*
`17.2R1`	affected	< 17.2*
`17.3R1`	affected	< 17.3*
`17.4R1`	affected	< 17.4*
`18.1R1`	affected	< 18.1*
`18.2R1`	affected	< 18.2*
`18.3R1`	affected	< 18.3*
`18.4`	affected	< 18.4R2-S9, 18.4R3-S9
`19.4`	affected	< 19.4R3-S3
`20.1`	affected	< 20.1R3
`20.2`	affected	< 20.2R3-S2
`20.3R1`	affected	< 20.3*
`20.4`	affected	< 20.4R3
`21.1`	affected	< 21.1R2

Juniper Networks

Junos OS

affected

Version	Status	Constraints
`18.4`	affected	< 18.4R2-S9, 18.4R3-S9
`19.4`	affected	< 19.4R3-S3
`20.1`	affected	< 20.1R3
`20.2`	unaffected	< 20.2R3-S2
`20.3R1`	affected	< 20.3*
`20.4`	affected	< 20.4R3
`21.1`	affected	< 21.1R2

Juniper Networks

Junos OS Evolved

affected

Version	Status	Constraints
`Any`	unaffected	—

Configuration 1 [-]

AND

OR	cpe:2.3:o:juniper:junos::::::::
	cpe:2.3:o:juniper:junos::::::::
	cpe:2.3:o:juniper:junos:5.6:r1::::::
	cpe:2.3:o:juniper:junos:18.4:-::::::
	cpe:2.3:o:juniper:junos:18.4:r1::::::
	cpe:2.3:o:juniper:junos:18.4:r1-s1::::::
	cpe:2.3:o:juniper:junos:18.4:r1-s2::::::
	cpe:2.3:o:juniper:junos:18.4:r1-s3::::::
	cpe:2.3:o:juniper:junos:18.4:r1-s4::::::
	cpe:2.3:o:juniper:junos:18.4:r1-s5::::::
	cpe:2.3:o:juniper:junos:18.4:r1-s6::::::
	cpe:2.3:o:juniper:junos:18.4:r1-s7::::::
	cpe:2.3:o:juniper:junos:18.4:r2::::::
	cpe:2.3:o:juniper:junos:18.4:r2-s1::::::
	cpe:2.3:o:juniper:junos:18.4:r2-s2::::::
	cpe:2.3:o:juniper:junos:18.4:r2-s3::::::
	cpe:2.3:o:juniper:junos:18.4:r2-s4::::::
	cpe:2.3:o:juniper:junos:18.4:r2-s5::::::
	cpe:2.3:o:juniper:junos:18.4:r2-s6::::::
	cpe:2.3:o:juniper:junos:18.4:r2-s7::::::
	cpe:2.3:o:juniper:junos:18.4:r2-s8::::::
	cpe:2.3:o:juniper:junos:18.4:r3::::::
	cpe:2.3:o:juniper:junos:18.4:r3-s1::::::
	cpe:2.3:o:juniper:junos:18.4:r3-s2::::::
	cpe:2.3:o:juniper:junos:18.4:r3-s3::::::
	cpe:2.3:o:juniper:junos:18.4:r3-s4::::::
	cpe:2.3:o:juniper:junos:18.4:r3-s5::::::
	cpe:2.3:o:juniper:junos:18.4:r3-s6::::::
	cpe:2.3:o:juniper:junos:18.4:r3-s7::::::
	cpe:2.3:o:juniper:junos:18.4:r3-s8::::::
	cpe:2.3:o:juniper:junos:19.4:r1::::::
	cpe:2.3:o:juniper:junos:19.4:r1-s1::::::
	cpe:2.3:o:juniper:junos:19.4:r1-s2::::::
	cpe:2.3:o:juniper:junos:19.4:r1-s3::::::
	cpe:2.3:o:juniper:junos:19.4:r2::::::
	cpe:2.3:o:juniper:junos:19.4:r2-s1::::::
	cpe:2.3:o:juniper:junos:19.4:r2-s2::::::
	cpe:2.3:o:juniper:junos:19.4:r2-s3::::::
	cpe:2.3:o:juniper:junos:19.4:r3::::::
	cpe:2.3:o:juniper:junos:19.4:r3-s1::::::
	cpe:2.3:o:juniper:junos:19.4:r3-s2::::::
	cpe:2.3:o:juniper:junos:20.1:r1::::::
	cpe:2.3:o:juniper:junos:20.1:r1-s1::::::
	cpe:2.3:o:juniper:junos:20.1:r1-s2::::::
	cpe:2.3:o:juniper:junos:20.1:r1-s3::::::
	cpe:2.3:o:juniper:junos:20.1:r1-s4::::::
	cpe:2.3:o:juniper:junos:20.1:r2::::::
	cpe:2.3:o:juniper:junos:20.1:r2-s1::::::
	cpe:2.3:o:juniper:junos:20.2:r1::::::
	cpe:2.3:o:juniper:junos:20.2:r1-s1::::::
	cpe:2.3:o:juniper:junos:20.2:r1-s2::::::
	cpe:2.3:o:juniper:junos:20.2:r1-s3::::::
	cpe:2.3:o:juniper:junos:20.2:r2::::::
	cpe:2.3:o:juniper:junos:20.2:r2-s1::::::
	cpe:2.3:o:juniper:junos:20.2:r2-s2::::::
	cpe:2.3:o:juniper:junos:20.2:r2-s3::::::
	cpe:2.3:o:juniper:junos:20.2:r3::::::
	cpe:2.3:o:juniper:junos:20.2:r3-s1::::::
	cpe:2.3:o:juniper:junos:20.4:r1::::::
	cpe:2.3:o:juniper:junos:20.4:r1-s1::::::
	cpe:2.3:o:juniper:junos:20.4:r2::::::
	cpe:2.3:o:juniper:junos:20.4:r2-s1::::::
	cpe:2.3:o:juniper:junos:21.1:r1::::::

OR	cpe:2.3:h:juniper:acx1000:-:::::::*
	cpe:2.3:h:juniper:acx1100:-:::::::*
	cpe:2.3:h:juniper:acx2000:-:::::::*
	cpe:2.3:h:juniper:acx2100:-:::::::*
	cpe:2.3:h:juniper:acx2200:-:::::::*
	cpe:2.3:h:juniper:acx4000:-:::::::*
	cpe:2.3:h:juniper:acx500:-:::::::*
	cpe:2.3:h:juniper:acx5000:-:::::::*
	cpe:2.3:h:juniper:acx5048:-:::::::*
	cpe:2.3:h:juniper:acx5096:-:::::::*
	cpe:2.3:h:juniper:acx5400:-:::::::*
	cpe:2.3:h:juniper:acx5448:-:::::::*
	cpe:2.3:h:juniper:acx5800:-:::::::*
	cpe:2.3:h:juniper:acx6300:-:::::::*
	cpe:2.3:h:juniper:acx6360:-:::::::*
	cpe:2.3:h:juniper:acx710:-:::::::*
	cpe:2.3:h:juniper:atp400:-:::::::*
	cpe:2.3:h:juniper:atp700:-:::::::*
	cpe:2.3:h:juniper:csrx:-:::::::*
	cpe:2.3:h:juniper:ctp150:-:::::::*
	cpe:2.3:h:juniper:ctp2008:-:::::::*
	cpe:2.3:h:juniper:ctp2024:-:::::::*
	cpe:2.3:h:juniper:ctp2056:-:::::::*
	cpe:2.3:h:juniper:dx:-:::::::*
	cpe:2.3:h:juniper:dx:5.1:::::::*
	cpe:2.3:h:juniper:ex_rps:-:::::::*
	cpe:2.3:h:juniper:ex2200:-:::::::*
	cpe:2.3:h:juniper:ex2200-c:-:::::::*
	cpe:2.3:h:juniper:ex2200-vc:-:::::::*
	cpe:2.3:h:juniper:ex2300:-:::::::*
	cpe:2.3:h:juniper:ex2300-c:-:::::::*
	cpe:2.3:h:juniper:ex2300m:-:::::::*
	cpe:2.3:h:juniper:ex3200:-:::::::*
	cpe:2.3:h:juniper:ex3300:-:::::::*
	cpe:2.3:h:juniper:ex3300-vc:-:::::::*
	cpe:2.3:h:juniper:ex3400:-:::::::*
	cpe:2.3:h:juniper:ex4200:-:::::::*
	cpe:2.3:h:juniper:ex4200-vc:-:::::::*
	cpe:2.3:h:juniper:ex4300:-:::::::*
	cpe:2.3:h:juniper:ex4300-24p:-:::::::*
	cpe:2.3:h:juniper:ex4300-24p-s:-:::::::*
	cpe:2.3:h:juniper:ex4300-24t:-:::::::*
	cpe:2.3:h:juniper:ex4300-24t-s:-:::::::*
	cpe:2.3:h:juniper:ex4300-32f:-:::::::*
	cpe:2.3:h:juniper:ex4300-32f-dc:-:::::::*
	cpe:2.3:h:juniper:ex4300-32f-s:-:::::::*
	cpe:2.3:h:juniper:ex4300-48mp:-:::::::*
	cpe:2.3:h:juniper:ex4300-48mp-s:-:::::::*
	cpe:2.3:h:juniper:ex4300-48p:-:::::::*
	cpe:2.3:h:juniper:ex4300-48p-s:-:::::::*
	cpe:2.3:h:juniper:ex4300-48t:-:::::::*
	cpe:2.3:h:juniper:ex4300-48t-afi:-:::::::*
	cpe:2.3:h:juniper:ex4300-48t-dc:-:::::::*
	cpe:2.3:h:juniper:ex4300-48t-dc-afi:-:::::::*
	cpe:2.3:h:juniper:ex4300-48t-s:-:::::::*
	cpe:2.3:h:juniper:ex4300-48tafi:-:::::::*
	cpe:2.3:h:juniper:ex4300-48tdc:-:::::::*
	cpe:2.3:h:juniper:ex4300-48tdc-afi:-:::::::*
	cpe:2.3:h:juniper:ex4300-mp:-:::::::*
	cpe:2.3:h:juniper:ex4300-vc:-:::::::*
	cpe:2.3:h:juniper:ex4300m:-:::::::*
	cpe:2.3:h:juniper:ex4400:-:::::::*
	cpe:2.3:h:juniper:ex4500:-:::::::*
	cpe:2.3:h:juniper:ex4500-vc:-:::::::*
cpe:2.3:h:juniper:ex4550:-:::::::*
cpe:2.3:h:juniper:ex4550-vc:-:::::::*
cpe:2.3:h:juniper:ex4550\/vc:-:::::::*
cpe:2.3:h:juniper:ex4600:-:::::::*
cpe:2.3:h:juniper:ex4600-vc:-:::::::*
cpe:2.3:h:juniper:ex4650:-:::::::*
cpe:2.3:h:juniper:ex6200:-:::::::*
cpe:2.3:h:juniper:ex6210:-:::::::*
cpe:2.3:h:juniper:ex8200:-:::::::*
cpe:2.3:h:juniper:ex8200-vc:-:::::::*
cpe:2.3:h:juniper:ex8208:-:::::::*
cpe:2.3:h:juniper:ex8216:-:::::::*
cpe:2.3:h:juniper:ex9200:-:::::::*
cpe:2.3:h:juniper:ex9204:-:::::::*
cpe:2.3:h:juniper:ex9208:-:::::::*
cpe:2.3:h:juniper:ex9214:-:::::::*
cpe:2.3:h:juniper:ex9250:-:::::::*
cpe:2.3:h:juniper:ex9251:-:::::::*
cpe:2.3:h:juniper:ex9253:-:::::::*
cpe:2.3:h:juniper:fips_infranet_controller_6500:-:::::::*
cpe:2.3:h:juniper:fips_secure_access_4000:-:::::::*
cpe:2.3:h:juniper:fips_secure_access_4500:-:::::::*
cpe:2.3:h:juniper:fips_secure_access_6000:-:::::::*
cpe:2.3:h:juniper:fips_secure_access_6500:-:::::::*
cpe:2.3:h:juniper:gfx3600:-:::::::*
cpe:2.3:h:juniper:idp250:-:::::::*
cpe:2.3:h:juniper:idp75:-:::::::*
cpe:2.3:h:juniper:idp800:-:::::::*
cpe:2.3:h:juniper:idp8200:-:::::::*
cpe:2.3:h:juniper:infranet_controller_4000:-:::::::*
cpe:2.3:h:juniper:infranet_controller_4500:-:::::::*
cpe:2.3:h:juniper:infranet_controller_6000:-:::::::*
cpe:2.3:h:juniper:infranet_controller_6500:-:::::::*
cpe:2.3:h:juniper:jatp:400:::::::*
cpe:2.3:h:juniper:jatp:700:::::::*
cpe:2.3:h:juniper:junos:-:::::::*
cpe:2.3:h:juniper:junos_space_ja1500_appliance:-:::::::*
cpe:2.3:h:juniper:junos_space_ja2500_appliance:-:::::::*
cpe:2.3:h:juniper:ln1000:-:::::::*
cpe:2.3:h:juniper:ln2600:-:::::::*
cpe:2.3:h:juniper:m10i:-:::::::*
cpe:2.3:h:juniper:m120:-:::::::*
cpe:2.3:h:juniper:m320:-:::::::*
cpe:2.3:h:juniper:m7i:-:::::::*
cpe:2.3:h:juniper:mag2600_gateway:-:::::::*
cpe:2.3:h:juniper:mag4610_gateway:-:::::::*
cpe:2.3:h:juniper:mag6610_gateway:-:::::::*
cpe:2.3:h:juniper:mag6611_gateway:-:::::::*
cpe:2.3:h:juniper:mx:-:::::::*
cpe:2.3:h:juniper:mx10:-:::::::*
cpe:2.3:h:juniper:mx10000:-:::::::*
cpe:2.3:h:juniper:mx10003:-:::::::*
cpe:2.3:h:juniper:mx10008:-:::::::*
cpe:2.3:h:juniper:mx10016:-:::::::*
cpe:2.3:h:juniper:mx104:-:::::::*
cpe:2.3:h:juniper:mx150:-:::::::*
cpe:2.3:h:juniper:mx2008:-:::::::*
cpe:2.3:h:juniper:mx2010:-:::::::*
cpe:2.3:h:juniper:mx2020:-:::::::*
cpe:2.3:h:juniper:mx204:-:::::::*
cpe:2.3:h:juniper:mx240:-:::::::*
cpe:2.3:h:juniper:mx40:-:::::::*
cpe:2.3:h:juniper:mx480:-:::::::*
cpe:2.3:h:juniper:mx5:-:::::::*
cpe:2.3:h:juniper:mx80:-:::::::*
cpe:2.3:h:juniper:mx960:-:::::::*
cpe:2.3:h:juniper:netscreen-5200:-:::::::*
cpe:2.3:h:juniper:netscreen-5400:-:::::::*
cpe:2.3:h:juniper:netscreen-5gt:-:::::::*
cpe:2.3:h:juniper:netscreen-5gt:5.0:::::::*
cpe:2.3:h:juniper:netscreen-idp:3.0:::::::*
cpe:2.3:h:juniper:netscreen-idp:3.0r1:::::::*
cpe:2.3:h:juniper:netscreen-idp:3.0r2:::::::*
cpe:2.3:h:juniper:netscreen-idp_10:-:::::::*
cpe:2.3:h:juniper:netscreen-idp_100:-:::::::*
cpe:2.3:h:juniper:netscreen-idp_1000:-:::::::*
cpe:2.3:h:juniper:netscreen-idp_500:-:::::::*
cpe:2.3:h:juniper:nfx:-:::::::*
cpe:2.3:h:juniper:nfx150:-:::::::*
cpe:2.3:h:juniper:nfx250:-:::::::*
cpe:2.3:h:juniper:nfx350:-:::::::*
cpe:2.3:h:juniper:nsm3000:-:::::::*
cpe:2.3:h:juniper:nsmexpress:-:::::::*
cpe:2.3:h:juniper:ocx1100:-:::::::*
cpe:2.3:h:juniper:ptx1000:-:::::::*
cpe:2.3:h:juniper:ptx1000-72q:-:::::::*
cpe:2.3:h:juniper:ptx10000:-:::::::*
cpe:2.3:h:juniper:ptx10001:-:::::::*
cpe:2.3:h:juniper:ptx10001-36mr:-:::::::*
cpe:2.3:h:juniper:ptx100016:-:::::::*
cpe:2.3:h:juniper:ptx10002:-:::::::*
cpe:2.3:h:juniper:ptx10002-60c:-:::::::*
cpe:2.3:h:juniper:ptx10003:-:::::::*
cpe:2.3:h:juniper:ptx10003_160c:-:::::::*
cpe:2.3:h:juniper:ptx10003_80c:-:::::::*
cpe:2.3:h:juniper:ptx10003_81cd:-:::::::*
cpe:2.3:h:juniper:ptx10004:-:::::::*
cpe:2.3:h:juniper:ptx10008:-:::::::*
cpe:2.3:h:juniper:ptx10016:-:::::::*
cpe:2.3:h:juniper:ptx3000:-:::::::*
cpe:2.3:h:juniper:ptx5000:-:::::::*
cpe:2.3:h:juniper:qfx10000:-:::::::*
cpe:2.3:h:juniper:qfx10002:-:::::::*
cpe:2.3:h:juniper:qfx10002-32q:-:::::::*
cpe:2.3:h:juniper:qfx10002-60c:-:::::::*
cpe:2.3:h:juniper:qfx10002-72q:-:::::::*
cpe:2.3:h:juniper:qfx10008:-:::::::*
cpe:2.3:h:juniper:qfx10016:-:::::::*
cpe:2.3:h:juniper:qfx3000-g:-:::::::*
cpe:2.3:h:juniper:qfx3000-m:-:::::::*
cpe:2.3:h:juniper:qfx3008-i:-:::::::*
cpe:2.3:h:juniper:qfx3100:-:::::::*
cpe:2.3:h:juniper:qfx3500:-:::::::*
cpe:2.3:h:juniper:qfx3600:-:::::::*
cpe:2.3:h:juniper:qfx3600-i:-:::::::*
cpe:2.3:h:juniper:qfx5100:-:::::::*
cpe:2.3:h:juniper:qfx5100-96s:-:::::::*
cpe:2.3:h:juniper:qfx5110:-:::::::*
cpe:2.3:h:juniper:qfx5120:-:::::::*
cpe:2.3:h:juniper:qfx5130:-:::::::*
cpe:2.3:h:juniper:qfx5200:-:::::::*
cpe:2.3:h:juniper:qfx5200-32c:-:::::::*
cpe:2.3:h:juniper:qfx5200-48y:-:::::::*
cpe:2.3:h:juniper:qfx5210:-:::::::*
cpe:2.3:h:juniper:qfx5210-64c:-:::::::*
cpe:2.3:h:juniper:qfx5220:-:::::::*
cpe:2.3:h:juniper:router_m10:-:::::::*
cpe:2.3:h:juniper:router_m16:-:::::::*
cpe:2.3:h:juniper:router_m20:-:::::::*
cpe:2.3:h:juniper:router_m40:-:::::::*
cpe:2.3:h:juniper:router_m5:-:::::::*
cpe:2.3:h:juniper:secure_access_2000:-:::::::*
cpe:2.3:h:juniper:secure_access_2500:-:::::::*
cpe:2.3:h:juniper:secure_access_4000:-:::::::*
cpe:2.3:h:juniper:secure_access_4500:-:::::::*
cpe:2.3:h:juniper:secure_access_6000:-:::::::*
cpe:2.3:h:juniper:secure_access_6500:-:::::::*
cpe:2.3:h:juniper:secure_access_700:-:::::::*
cpe:2.3:h:juniper:t1600:-:::::::*
cpe:2.3:h:juniper:t320:-:::::::*
cpe:2.3:h:juniper:t4000:-:::::::*
cpe:2.3:h:juniper:t640:-:::::::*
cpe:2.3:h:juniper:xre200:-:::::::*

Configuration 2 [-]

AND

OR	cpe:2.3:o:juniper:junos:18.4:-::::::
	cpe:2.3:o:juniper:junos:18.4:r1::::::
	cpe:2.3:o:juniper:junos:18.4:r1-s1::::::
	cpe:2.3:o:juniper:junos:18.4:r1-s2::::::
	cpe:2.3:o:juniper:junos:18.4:r1-s3::::::
	cpe:2.3:o:juniper:junos:18.4:r1-s4::::::
	cpe:2.3:o:juniper:junos:18.4:r1-s5::::::
	cpe:2.3:o:juniper:junos:18.4:r1-s6::::::
	cpe:2.3:o:juniper:junos:18.4:r1-s7::::::
	cpe:2.3:o:juniper:junos:18.4:r2::::::
	cpe:2.3:o:juniper:junos:18.4:r2-s1::::::
	cpe:2.3:o:juniper:junos:18.4:r2-s2::::::
	cpe:2.3:o:juniper:junos:18.4:r2-s3::::::
	cpe:2.3:o:juniper:junos:18.4:r2-s4::::::
	cpe:2.3:o:juniper:junos:18.4:r2-s5::::::
	cpe:2.3:o:juniper:junos:18.4:r2-s6::::::
	cpe:2.3:o:juniper:junos:18.4:r2-s7::::::
	cpe:2.3:o:juniper:junos:18.4:r2-s8::::::
	cpe:2.3:o:juniper:junos:18.4:r3::::::
	cpe:2.3:o:juniper:junos:18.4:r3-s1::::::
	cpe:2.3:o:juniper:junos:18.4:r3-s2::::::
	cpe:2.3:o:juniper:junos:18.4:r3-s3::::::
	cpe:2.3:o:juniper:junos:18.4:r3-s4::::::
	cpe:2.3:o:juniper:junos:18.4:r3-s5::::::
	cpe:2.3:o:juniper:junos:18.4:r3-s6::::::
	cpe:2.3:o:juniper:junos:18.4:r3-s7::::::
	cpe:2.3:o:juniper:junos:18.4:r3-s8::::::
	cpe:2.3:o:juniper:junos:19.4:r1::::::
	cpe:2.3:o:juniper:junos:19.4:r1-s1::::::
	cpe:2.3:o:juniper:junos:19.4:r1-s2::::::
	cpe:2.3:o:juniper:junos:19.4:r1-s3::::::
	cpe:2.3:o:juniper:junos:19.4:r2::::::
	cpe:2.3:o:juniper:junos:19.4:r2-s1::::::
	cpe:2.3:o:juniper:junos:19.4:r2-s2::::::
	cpe:2.3:o:juniper:junos:19.4:r2-s3::::::
	cpe:2.3:o:juniper:junos:19.4:r3::::::
	cpe:2.3:o:juniper:junos:19.4:r3-s1::::::
	cpe:2.3:o:juniper:junos:19.4:r3-s2::::::
	cpe:2.3:o:juniper:junos:19.4:r3-s3::::::
	cpe:2.3:o:juniper:junos:20.1:r1::::::
	cpe:2.3:o:juniper:junos:20.1:r1-s1::::::
	cpe:2.3:o:juniper:junos:20.1:r1-s2::::::
	cpe:2.3:o:juniper:junos:20.1:r1-s3::::::
	cpe:2.3:o:juniper:junos:20.1:r1-s4::::::
	cpe:2.3:o:juniper:junos:20.1:r2::::::
	cpe:2.3:o:juniper:junos:20.1:r2-s1::::::
	cpe:2.3:o:juniper:junos:20.2:r1::::::
	cpe:2.3:o:juniper:junos:20.2:r1-s1::::::
	cpe:2.3:o:juniper:junos:20.2:r1-s2::::::
	cpe:2.3:o:juniper:junos:20.2:r1-s3::::::
	cpe:2.3:o:juniper:junos:20.2:r2::::::
	cpe:2.3:o:juniper:junos:20.2:r2-s1::::::
	cpe:2.3:o:juniper:junos:20.2:r2-s2::::::
	cpe:2.3:o:juniper:junos:20.2:r2-s3::::::
	cpe:2.3:o:juniper:junos:20.2:r3::::::
	cpe:2.3:o:juniper:junos:20.2:r3-s1::::::
	cpe:2.3:o:juniper:junos:20.3:r1::::::
	cpe:2.3:o:juniper:junos:20.3:r1-s1::::::
	cpe:2.3:o:juniper:junos:20.3:r2::::::
	cpe:2.3:o:juniper:junos:20.4:r1::::::
	cpe:2.3:o:juniper:junos:20.4:r1-s1::::::
	cpe:2.3:o:juniper:junos:21.1:r1-s1::::::

OR	cpe:2.3:h:juniper:srx100:-:::::::*
	cpe:2.3:h:juniper:srx110:-:::::::*
	cpe:2.3:h:juniper:srx1400:-:::::::*
	cpe:2.3:h:juniper:srx1500:-:::::::*
	cpe:2.3:h:juniper:srx210:-:::::::*
	cpe:2.3:h:juniper:srx220:-:::::::*
	cpe:2.3:h:juniper:srx240:-:::::::*
	cpe:2.3:h:juniper:srx240h2:-:::::::*
	cpe:2.3:h:juniper:srx300:-:::::::*
	cpe:2.3:h:juniper:srx320:-:::::::*
	cpe:2.3:h:juniper:srx340:-:::::::*
	cpe:2.3:h:juniper:srx3400:-:::::::*
	cpe:2.3:h:juniper:srx345:-:::::::*
	cpe:2.3:h:juniper:srx3600:-:::::::*
	cpe:2.3:h:juniper:srx380:-:::::::*
	cpe:2.3:h:juniper:srx4000:-:::::::*
	cpe:2.3:h:juniper:srx4100:-:::::::*
	cpe:2.3:h:juniper:srx4200:-:::::::*
	cpe:2.3:h:juniper:srx4600:-:::::::*
	cpe:2.3:h:juniper:srx5000:-:::::::*
	cpe:2.3:h:juniper:srx5400:-:::::::*
	cpe:2.3:h:juniper:srx550:-:::::::*
	cpe:2.3:h:juniper:srx550_hm:-:::::::*
	cpe:2.3:h:juniper:srx550m:-:::::::*
	cpe:2.3:h:juniper:srx5600:-:::::::*
	cpe:2.3:h:juniper:srx5800:-:::::::*
	cpe:2.3:h:juniper:srx650:-:::::::*

No data.

No data available yet.

Remediation

Vendor Solution

The following software releases have been updated to resolve this specific issue: For all platforms, except SRX Series, using Junos OS 15.1R7-S10, 18.4R2-S9, 18.4R3-S9, 19.4R3-S4, 20.1R3, 20.2R3-S2, 20.4R3, 21.1R2, 21.2R1, and all subsequent releases. On SRX series using Junos OS 18.4R2-S9, 18.4R3-S9, 19.4R3-S4. 20.1R3, 20.4R3, 21.1R2, 21.2R1, and all subsequent releases.

Vendor Workaround

There is no workaround for this issue. If affected by this issue, to recover from its impact, restart the firewall process to update the ARP Policer on the AE interface unit(s). From the CLI issue: cli> restart firewall Note: no side effects on firewall restart shall be seen when issuing this command.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2021-2908	When user-defined ARP Policer is configured and applied on one or more Aggregated Ethernet (AE) interface units, a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability between the Device Control Daemon (DCD) and firewall process (dfwd) daemons of Juniper Networks Junos OS allows an attacker to bypass the user-defined ARP Policer. In this particular case the User ARP policer is replaced with default ARP policer. To review the desired ARP Policers and actual state one can run the command "show interfaces <> extensive" and review the output. See further details below. An example output is: show interfaces extensive \| match policer Policer: Input: __default_arp_policer__ <<< incorrect if user ARP Policer was applied on an AE interface and the default ARP Policer is displayed Policer: Input: jtac-arp-ae5.317-inet-arp <<< correct if user ARP Policer was applied on an AE interface For all platforms, except SRX Series: This issue affects Juniper Networks Junos OS: All versions 5.6R1 and all later versions prior to 18.4 versions prior to 18.4R2-S9, 18.4R3-S9 with the exception of 15.1 versions 15.1R7-S10 and later versions; 19.4 versions prior to 19.4R3-S3; 20.1 versions prior to 20.1R3; 20.2 versions prior to 20.2R3-S2; 20.3 version 20.3R1 and later versions; 20.4 versions prior to 20.4R3; 21.1 versions prior to 21.1R2; This issue does not affect Juniper Networks Junos OS versions prior to 5.6R1. On SRX Series this issue affects Juniper Networks Junos OS: 18.4 versions prior to 18.4R2-S9, 18.4R3-S9; 19.4 versions prior to 19.4R3-S4; 20.1 versions prior to 20.1R3; 20.2 versions prior to 20.2R3-S2; 20.3 version 20.3R1 and later versions; 20.4 versions prior to 20.4R3; 21.1 versions prior to 21.1R2. This issue does not affect 18.4 versions prior to 18.4R1 on SRX Series. This issue does not affect Junos OS Evolved.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Adjacent Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00063.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://kb.juniper.net/JSA11191

History

No history.

Subscriptions

Juniper Acx1000 Acx1100 Acx2000 Acx2100 Acx2200 Acx4000 Acx500 Acx5000 Acx5048 Acx5096 Acx5400 Acx5448 Acx5800 Acx6300 Acx6360 Acx710 Atp400 Atp700 Csrx Ctp150 Ctp2008 Ctp2024 Ctp2056 Dx Ex2200 Ex2200-c Ex2200-vc Ex2300 Ex2300-c Ex2300m Ex3200 Ex3300 Ex3300-vc Ex3400 Ex4200 Ex4200-vc Ex4300 Ex4300-24p Ex4300-24p-s Ex4300-24t Ex4300-24t-s Ex4300-32f Ex4300-32f-dc Ex4300-32f-s Ex4300-48mp Ex4300-48mp-s Ex4300-48p Ex4300-48p-s Ex4300-48t Ex4300-48t-afi Ex4300-48t-dc Ex4300-48t-dc-afi Ex4300-48t-s Ex4300-48tafi Ex4300-48tdc Ex4300-48tdc-afi Ex4300-mp Ex4300-vc Ex4300m Ex4400 Ex4500 Ex4500-vc Ex4550 Ex4550-vc Ex4550\/vc Ex4600 Ex4600-vc Ex4650 Ex6200 Ex6210 Ex8200 Ex8200-vc Ex8208 Ex8216 Ex9200 Ex9204 Ex9208 Ex9214 Ex9250 Ex9251 Ex9253 Ex Rps Fips Infranet Controller 6500 Fips Secure Access 4000 Fips Secure Access 4500 Fips Secure Access 6000 Fips Secure Access 6500 Gfx3600 Idp250 Idp75 Idp800 Idp8200 Infranet Controller 4000 Infranet Controller 4500 Infranet Controller 6000 Infranet Controller 6500 Jatp Junos Junos Space Ja1500 Appliance Junos Space Ja2500 Appliance Ln1000 Ln2600 M10i M120 M320 M7i Mag2600 Gateway Mag4610 Gateway Mag6610 Gateway Mag6611 Gateway Mx Mx10 Mx10000 Mx10003 Mx10008 Mx10016 Mx104 Mx150 Mx2008 Mx2010 Mx2020 Mx204 Mx240 Mx40 Mx480 Mx5 Mx80 Mx960 Netscreen-5200 Netscreen-5400 Netscreen-5gt Netscreen-idp Netscreen-idp 10 Netscreen-idp 100 Netscreen-idp 1000 Netscreen-idp 500 Nfx Nfx150 Nfx250 Nfx350 Nsm3000 Nsmexpress Ocx1100 Ptx1000 Ptx1000-72q Ptx10000 Ptx10001 Ptx10001-36mr Ptx100016 Ptx10002 Ptx10002-60c Ptx10003 Ptx10003 160c Ptx10003 80c Ptx10003 81cd Ptx10004 Ptx10008 Ptx10016 Ptx3000 Ptx5000 Qfx10000 Qfx10002 Qfx10002-32q Qfx10002-60c Qfx10002-72q Qfx10008 Qfx10016 Qfx3000-g Qfx3000-m Qfx3008-i Qfx3100 Qfx3500 Qfx3600 Qfx3600-i Qfx5100 Qfx5100-96s Qfx5110 Qfx5120 Qfx5130 Qfx5200 Qfx5200-32c Qfx5200-48y Qfx5210 Qfx5210-64c Qfx5220 Router M10 Router M16 Router M20 Router M40 Router M5 Secure Access 2000 Secure Access 2500 Secure Access 4000 Secure Access 4500 Secure Access 6000 Secure Access 6500 Secure Access 700 Srx100 Srx110 Srx1400 Srx1500 Srx210 Srx220 Srx240 Srx240h2 Srx300 Srx320 Srx340 Srx3400 Srx345 Srx3600 Srx380 Srx4000 Srx4100 Srx4200 Srx4600 Srx5000 Srx5400 Srx550 Srx550 Hm Srx550m Srx5600 Srx5800 Srx650 T1600 T320 T4000 T640 Xre200

MITRE

Status: PUBLISHED

Assigner: juniper

Published: 2021-07-15T20:01:05.615Z

Updated: 2024-09-17T03:48:59.800Z

Reserved: 2020-10-27T00:00:00.000Z

Link: CVE-2021-0289

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-07-15T20:15:10.563

Modified: 2024-11-21T05:42:24.760

Link: CVE-2021-0289

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-367

Tracking

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Adjacent Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object