CVE-2022-22209

{"id": "CVE-2022-22209", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "sirt@juniper.net", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2022-07-20T15:15:08.643", "references": [{"url": "https://kb.juniper.net/JSA69713", "tags": ["Exploit", "Vendor Advisory"], "source": "sirt@juniper.net"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "sirt@juniper.net", "description": [{"lang": "en", "value": "CWE-401"}]}], "descriptions": [{"lang": "en", "value": "A Missing Release of Memory after Effective Lifetime vulnerability in the kernel of Juniper Networks Junos OS allows an unauthenticated network based attacker to cause a Denial of Service (DoS). On all Junos platforms, the Kernel Routing Table (KRT) queue can get stuck due to a memory leak triggered by interface flaps or route churn leading to RIB and PFEs getting out of sync. The memory leak causes RTNEXTHOP/route and next-hop memory pressure issue and the KRT queue will eventually get stuck with the error- 'ENOMEM -- Cannot allocate memory'. The out-of-sync state between RIB and FIB can be seen with the \"show route\" and \"show route forwarding-table\" command. This issue will lead to failures for adding new routes. The KRT queue status can be checked using the CLI command \"show krt queue\": user@host > show krt state High-priority add queue: 1 queued ADD nhtype Router index 0 (31212) error 'ENOMEM -- Cannot allocate memory' kqp '0x8ad5e40' The following messages will be observed in /var/log/messages, which indicate high memory for routes/nexthops: host rpd[16279]: RPD_RT_HWM_NOTICE: New RIB highwatermark for routes: 266 [2022-03-04 05:06:07] host rpd[16279]: RPD_KRT_Q_RETRIES: nexthop ADD: Cannot allocate memory host rpd[16279]: RPD_KRT_Q_RETRIES: nexthop ADD: Cannot allocate memory host kernel: rts_veto_net_delayed_unref_limit: Route/nexthop memory is severe pressure. User Application to perform recovery actions. O p 8 err 12, rtsm_id 0:-1, msg type 10, veto simulation: 0. host kernel: rts_veto_net_delayed_unref_limit: Memory usage of M_RTNEXTHOP type = (806321208) Max size possible for M_RTNEXTHOP type = (689432176) Current delayed unref = (0), Max delayed unref on this platform = (120000) Current delayed weight unref = (0) Max delayed weight unref on this platform = (400000) curproc = rpd. This issue affects: Juniper Networks Junos OS 21.2 versions prior to 21.2R3; 21.3 versions prior to 21.3R2-S1, 21.3R3; 21.4 versions prior to 21.4R1-S2, 21.4R2; This issue does not affect Juniper Networks Junos OS versions prior to 21.2R1."}, {"lang": "es", "value": "Una vulnerabilidad de Falta de Liberaci\u00f3n de Memoria despu\u00e9s del Tiempo de Vida Efectivo en el kernel de Junos OS de Juniper Networks permite a un atacante no autenticado basado en la red causar una Denegaci\u00f3n de Servicio (DoS). En todas las plataformas Junos, la cola de la tabla de enrutamiento del n\u00facleo (KRT) puede atascarse debido a una p\u00e9rdida de memoria desencadenada por las solapas de la interfaz o el cambio de rutas, lo que conlleva a una desincronizaci\u00f3n de las RIB y las PFE. La fuga de memoria causa un problema de presi\u00f3n de memoria en RTNEXTHOP/ruta y en el siguiente salto y la cola de KRT se atascar\u00e1 finalmente con el error \"ENOMEM -- Cannot allocate memory\". El estado de desincronizaci\u00f3n entre la RIB y la FIB puede verse con el comando \"show route\" y \"show route forwarding-table\". Este problema conlleva a fallos al a\u00f1adir nuevas rutas. El estado de la cola KRT puede comprobarse mediante el comando CLI \"show krt queue\": user@host ) show krt state High-priority add queue: 1 queued ADD nhtype Router index 0 (31212) error 'ENOMEM -- Cannot allocate memory' kqp '0x8ad5e40' Ser\u00e1n observados los siguientes mensajes en /var/log/messages, que indican una memoria elevada para las rutas/nexthops: host rpd[16279]: RPD_RT_HWM_NOTICE: Nueva memoria alta RIB para rutas: 266 [2022-03-04 05:06:07] host rpd[16279]: RPD_KRT_Q_RETRIES: nexthop ADD: No puede asignarse memoria host rpd[16279]: RPD_KRT_Q_RETRIES: nexthop ADD: No puede asignarse memoria al host kernel: rts_veto_net_delayed_unref_limit: La memoria de la ruta/nexthop est\u00e1 sometida a una fuerte presi\u00f3n. Aplicaci\u00f3n de usuario para llevar a cabo acciones de recuperaci\u00f3n. O p 8 err 12, rtsm_id 0:-1, msg type 10, veto simulation: 0. kernel del host: rts_veto_net_delayed_unref_limit: Uso de la memoria del tipo M_RTNEXTHOP = (806321208) Tama\u00f1o m\u00e1ximo posible para el tipo M_RTNEXTHOP = (689432176) Unref retrasado actual = (0), Unref retrasado m\u00e1ximo en esta plataforma = (120000) Unref de peso retrasado actual = (0) Unref de peso retrasado m\u00e1ximo en esta plataforma = (400000) curproc = rpd. Este problema afecta a: Juniper Networks Junos OS 21.2 versiones anteriores a 21.2R3; 21.3 versiones anteriores a 21.3R2-S1, 21.3R3; 21.4 versiones anteriores a 21.4R1-S2, 21.4R2; Este problema no afecta a versiones de Juniper Networks Junos OS anteriores a 21.2R1"}], "lastModified": "2022-07-29T22:06:22.440", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:juniper:junos:21.2:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "216E7DDE-453D-481F-92E2-9F8466CDDA3F"}, {"criteria": "cpe:2.3:o:juniper:junos:21.2:r1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A52AF794-B36B-43A6-82E9-628658624B0A"}, {"criteria": "cpe:2.3:o:juniper:junos:21.2:r1-s1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3998DC76-F72F-4452-9150-652140B113EB"}, {"criteria": "cpe:2.3:o:juniper:junos:21.2:r1-s2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "36ED4552-2420-45F9-B6E4-6DA2B2B12870"}, {"criteria": "cpe:2.3:o:juniper:junos:21.2:r2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C28A14E7-7EA0-4757-9764-E39A27CFDFA5"}, {"criteria": "cpe:2.3:o:juniper:junos:21.2:r2-s1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4A43752D-A4AF-4B4E-B95B-192E42883A5B"}, {"criteria": "cpe:2.3:o:juniper:junos:21.2:r2-s2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "42986538-E9D0-4C2E-B1C4-A763A4EE451B"}, {"criteria": "cpe:2.3:o:juniper:junos:21.3:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2E7D597D-F6B6-44C3-9EBC-4FA0686ACB5C"}, {"criteria": "cpe:2.3:o:juniper:junos:21.3:r1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CC78A4CB-D617-43FC-BB51-287D2D0C44ED"}, {"criteria": "cpe:2.3:o:juniper:junos:21.3:r1-s1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "30FF67F8-1E3C-47A8-8859-709B3614BA6E"}, {"criteria": "cpe:2.3:o:juniper:junos:21.3:r1-s2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0C7C507E-C85E-4BC6-A3B0-549516BAB524"}, {"criteria": "cpe:2.3:o:juniper:junos:21.3:r2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6514CDE8-35DC-469F-89A3-078684D18F7A"}, {"criteria": "cpe:2.3:o:juniper:junos:21.4:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "79ED3CE8-CC57-43AB-9A26-BBC87816062D"}, {"criteria": "cpe:2.3:o:juniper:junos:21.4:r1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4310D2D9-A8A6-48F8-9384-0A0692A1E1C3"}, {"criteria": "cpe:2.3:o:juniper:junos:21.4:r1-s1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9962B01C-C57C-4359-9532-676AB81CE8B0"}], "operator": "OR"}]}], "sourceIdentifier": "sirt@juniper.net"}