Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

2018-01 Out of Cycle Security Bulletin: Meltdown & Spectre: CPU Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method



Article ID: JSA10842 SECURITY_ADVISORIES Last Updated: 22 Feb 2018Version: 12.0
Product Affected:
See Problem and Solution sections below.
Modern microprocessors that implement speculative execution of instructions are susceptible to a new class of cache timing attacks being called "Meltdown" and "Spectre".  These vulnerabilities could allow an attacker to read privileged memory which may contain sensitive information such as passwords or encryption keys.

There are three known variants of the issue:
  • Variant 1: bounds check bypass (CVE-2017-5753)
  • Variant 2: branch target injection (CVE-2017-5715)
  • Variant 3: rogue data cache load (CVE-2017-5754)

​Almost all modern CPUs, including the ones in most Juniper products, use speculative execution and are potentially susceptible to these types of attacks. However, it is important to note that in order to exploit this weakness and gain access to restricted memory, the attack requires executing crafted code on the device.
Most Juniper devices are deployed in a manner that will offer multiple layers of protection against successful exploit of these issues:
  • Limiting access to critical infrastructure networking equipment to only trusted administrators from trusted administrative networks or hosts will prevent untrusted code execution, which is required for successful exploitation of these vulnerabilities.
  • Furthermore, most products running Junos OS can only execute code signed by Juniper (e.g. veriexec code-signing validation in Junos OS).  This ensures that only code signed by Juniper can be executed on the device.  Administrators can check whether veriexec is enforced by running the following command from the Junos OS shell:
% sysctl security.mac.veriexec.state
if veriexec is enforced, the output should be:
security.mac.veriexec.state: loaded active enforce
Additionally, on the platforms where veriexec is not enforced, the ability to load or execute code is limited only to privilege users.

Note: on older Junos OS versions, the above command might give a different result, on these releases the alternative command is: 
/sbin/veriexec -i enforce
the exit status will be 0 (true) if it is being enforced.
If veriexec is enforced:
% /sbin/veriexec -i enforce || echo "ERROR: veriexec not enforced"
If veriexec is not enforced:
% /sbin/veriexec -i enforce || echo "ERROR: veriexec not enforced"
ERROR: veriexec not enforced
Either of these defenses is sufficient to ensure there is no exposure to privileged memory being read by an unauthorized user as a result of these vulnerabilities.
Deployments where users can execute untrusted code, including many virtualized, container, Flex, and application products are potentially impacted.  Customers should follow standard BCPs to limit exposure and apply fixes as they become available.

Product Status:

Juniper SIRT is actively investigating the impact on Juniper Networks products and services. 

The following products may contain affected microprocessors and operating systems, the defenses above should be used to eliminate exposure:​
  • Junos OS based platforms
  • Junos Space appliance
  • Qfabric Director
  • CTP Series
  • NSMXpress/NSM3000/NSM4000 appliances 
  • STRM/Juniper Secure Analytics (JSA) appliances
  • SRC/C Series
  • Contrail on Ubuntu

The following products are not impacted. They do not have the components or scenarios required for exploitation of these vulnerabilities:
  • ScreenOS / Netscreen platforms
  • JUNOSe / E Series platforms
  • BTI platforms
  • Cyphort appliance
  • SRX100 Series / SRX200 Series / SRX300 Series / SRX550 / SRX650
  • LN1000 and LN2600 Security Routers
  • CBA Series Wireless WAN Bridge

The following products should get fixes for the platforms on these are deployed from platform vendors:​
  • ​Contrail Product Family (including Contrail Networking, Contrail Security and Contrail Cloud):
- For Ubuntu based platforms: customers will require an upstream patch from:
  Additionally, there will be a Contrail release to incorporate relevant fixes.
- For Redhat based platforms: customers will require an upstream patch from
  No further Contrail patch is required from Juniper.
- For Centos based platforms: customers will require an upstream patch from:
  No further Contrail patch is required from Juniper.
  • AppFormix
- AppFormix is pure software application product, it is indirectly impacted. Customer should patch their host
Juniper is continuing to investigate our product portfolio for affected products that are not mentioned above. As new information becomes available this document will be updated.
Where possible, Juniper will be developing software fixes that prevent these type of attacks.  This JSA will be updated as those fixes become available for Juniper devices.
In order to mitigate this vulnerability, only run software from trusted sources.  It is also recommended to limit the access to critical infrastructure networking equipment to only trusted administrators from trusted administrative networks or hosts.
Modification History:
2018-01-05: Initial publication
2018-01-08: Minor update on the Product Status section
​2018-01-11: Update on the problem description with regards to information on multiple layers of protection​ and minor update on product status
​2018-01-12: Update on the Product Status section
2018-01-18: Update on the Product Status section SRX6500->SRX650
2018-01-24: Additional information to check veriexec enforcement on older Junos OS releases: /sbin/veriexec -i enforce
2018-02-02: Update on the Product Status section LN1000 and LN2600
2018-02-20: Update on AppFormix
2018-02-22: Update on WANDL IP/MPLSView

CVSS Score:
4.1 (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N)
Severity Level:
Severity Assessment:
In the case of Junos OS, in order to exploit this vulnerability an attacker must have a local authenticated privileged (admin) and needs to bypass the image validation checking.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search