This issue can affect all SRX Series Services Gateways for the Data Center (SRX-1400, SRX-3400, SRX-3600, SRX-5600, SRX-5800) configured to process IPv6 traffic flows.
When an IPv6 flow session is freed on the Central Point (CP), it updates the CP session statistics for the corresponding SPU. In some situations, the update overwrote other memory causing incorrect statistics or memory corruption, which in turn triggered a flowd core. Junos now uses dedicated code for extending session counter updates during CP session allocation and freeing.
All Junos OS software releases built on or after 2011-12-16 have fixed this specific issue. Releases containing the fix specifically include: 10.4R7, 11.1R5, 11.2R2, 11.4R1, and all subsequent releases (i.e. all releases built after 11.4R1). Earlier releases of Junos OS are unaffected by this vulnerability.
This issue is being tracked as PR 672794 and is visible on the Customer Support website.
Note: SRX Series services gateways with session limit screening configured, for example:
[screen ids-option XXX limit-session source-ip-based or destination-ip-based]
should refer to IPv6 related PR 728802 before deciding on an upgrade strategy.
KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies.
Disabling IPv6 processing will mitigate the issue, but may not be an acceptable workaround for most customers. For example:
user@junos# set security forwarding-options family inet6 mode drop
A reboot is required to make this configuration change effective.
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."