Junos OS: Login credentials are vulnerable to brute force attacks through the REST API (CVE-2019-0039)

Junos OS: Login credentials are vulnerable to brute force attacks through the REST API (CVE-2019-0039); Refer to https://kb.juniper.net/JSA10928 for more information.

Incorrect value of optical power is displayed

On EX2300/EX3400 Series switches with SFP used, when the actual receiver signal power exceeds 0.21 mW, the output of the command "show interfaces diagnostics optics" might display an incorrect value for the field "Receiver signal average optical power".

IfSpeed and IfHighSpeed erroneously reported as zero on EX2300.

On a EX2300 switch, the IfSpeed and IfHighSpeed MIB values might be incorrectly displayed during an SNMP get operation.

On SRX1500 devices, fan speed goes up and down continuously.

SRX1500 fan speed often goes up and down if the environment temperature up to 63 degrees celsius.

PPE Errors async xtxn error when FPC is restart/removal

XTXN error seen at FPC restart (with or without impact) needs to be communicated to the customer. As it is not an expected behavior.

The ports using SFP-T transceiver may be still up after system halt

On EX4300-32F fiber platforms with SFP-T transceiver installed, the corresponding ports may be still up after system halt. This is specific to the case where the SFP-T transceiver is installed in one of the first 32 ports (builtin ports).

Junos OS: The routing protocol process (rpd) may crash and generate core files upon receipt of specific valid BGP states from a peered host. (CVE-2019-0059)

A memory leak vulnerability in the of Juniper Networks Junos OS allows an attacker to cause a Denial of Service (DoS) to the device by sending specific commands from a peered BGP host and having those BGP states delivered to the vulnerable device.

SRX device clock may lose synchronization with the NTP server

On SRX1500,vSRX,SRX4100,SRX4200 platform, NTP may lose synchronization with the NTP server due to clock offset increasing too fast.

Traffic might be dropped when a firewall filter term having log or syslog with accept on EX2300

When a firewall filter term having log or syslog with accept is assigned to an interface, the traffic might be dropped without any warning when the commit or commit-check is issued.

The traffic used original IRB mac address if configuring MAC for an IRB interface

When EX2300/EX3400 platforms used as transit switches, the traffic sent out of an IRB interface might use original MAC address instead of the configured MAC address for the IRB.

SFP-T might not work with Junos 17.2R1 or higher

The working uplink module SFP-T might go down with Junos 17.2R1 and higher.

IPsec tunnel may flap when there are concurrent IKEv2 Phase 1 SA rekeys

On SRX devices in rare circumstance (e.g. vpn estabilish-immediately is configured on both ends of the tunnel), concurrent Phase 1 SA rekeys were seen in SRX devices. This may cause VPN to delete existing VPN tunnels and rebuild it, when VPN policy-manager cannot correctly process the second rekey call from the toolkit.

Non-existent Fan tray 1 reported by chassisd on EX2300.

After upgrade to 18.1 or 18.2 Junos version, additional fan tray might be erroneously reported by chassisd on EX2300.

2019-01 Security Bulletin: Junos OS: Multiple vulnerabilities in libxml2

Multiple vulnerabilities in libxml2 have been resolved in Junos OS. Refer to https://kb.juniper.net/JSA10916 for more information.

JSA10901 2019-01 Security Bulletin: Junos OS: EX2300 and EX3400 series: Certain stateless firewall filter rules might not take effect (CVE-2019-0002)

JSA10901 2019-01 Security Bulletin: Junos OS: EX2300 and EX3400 series: Certain stateless firewall filter rules might not take effect (CVE-2019-0002). See https://kb.juniper.net/JSA10901 for details.

On EX2300 platforms, "show filter hw summary" is showing incomplete output.

For the given config, few of the filters attached to unit 1, but the show output has taken the value only from UNIT 0. In case of a dual unit (48 port device), we need to consider UNIT 0 and UNIT 1 as well.

The rpc command about interface unit might fail

Python script or other scripts might stop working if it includes rpc command which about interface unit.

Snmp mib walk for udp flood gives different output statistics than cli

After reaching high counter numbers, snmp mib walk for UDP flood (jnxJsScreenMonUdpFlood) shows very different values from the cli command.

Junos OS:set system ports console insecure allows root password recovery on OAM volumes (CVE-2019-0035)

Junos OS: set system ports console insecure allows root password recovery on OAM volumes (CVE-2019-0035); Refer to https://kb.juniper.net/JSA10924 for more information.

NTP broadcast packets are not forwarded out on L2 ports

On EX2300/EX3400 Series switches which are acted as transit switches, NTP broadcast packet with source port 123 might hit the default firewall rule and be trapped to CPU but not flooded to VLANs.

The timeout value of junos-http is improper.

On all SRX Series devices, from Junos OS Release 15.1X49-D120, 17.4R1, and 18.1R1, the timeout value of junos-http (the pre-defined application setting in the junos-defaults.conf) has been changed to 1800 seconds, which is not expected, the expected value is 300 seconds.

The LLDP TLV with the wrong switch port capabilities might be sent

On EX4300 platform with LLDP enable, LLDP TLV with the wrong switch port capabilities might be sent and it might cause IP phones not work properly.

Traffic black-hole with indirect next hop and load balancing

On EX4300/EX4600/QFX Series switches except for QFX10000, pass-through traffic might be dropped if using multiple routes with indirect next hop and load balancing.

Debug log message, "expr_nh_flabel_check_overwrite: Caller nh_id params", classified as Error Log when it should be LOG_INFO.

Debug logs are printed as error logs in /var/log/messages. Debug log message, "expr_nh_flabel_check_overwrite: Caller nh_id params", classified as Error Log when it should be LOG_INFO

In EVPN A-A scenario with MX or EX acting as PE device,flood NHs to handle BUM traffic may not get created or miss certain branches when the configuration is performed in a particular sequence

In EVPN A-A scenario with MX or EX acting as PE device,flood NHs to handle BUM traffic may not get created or miss certain branches when the configuration is performed in a particular sequence

Packets might be dropped on AD in Junos Fusion Data Center environment

In Junos Fusion Data Center environment, when the interfaces on Aggregation Device (AD) are using enterprise style (family ethernet-switching) with default IP MTU (1500 Bytes) or IP MTU greater than 1496 Bytes, packets might be dropped for length error on that interfaces.

Traffic might be dropped on third-generation FPCs on PTX.

On PTX with third-generation FPCs, if optics not certified by Juniper Networks (NON-JNPR) are used and there is specific traffic pattern with congestion, traffic might be dropped.

Host destined packets with filter log action might not reach to the routing engine if log/syslog is enabled.

On EX4300/EX4600/QFX Series switches except for QFX10k, if host destined packets (i.e., the destination address belongs to the device) come from the interface with ingress filter of log/syslog action (e.g., 'filter <> term <> then log/syslog'), such packets should not be dropped and reach the routing engine.

2019-01 Security Bulletin: Junos OS: OpenSSL Security Advisories [16 Apr 2018] and [12 June 2018]

The OpenSSL project has published security advisories for vulnerabilities resolved in the OpenSSL library on April 16, 2018, and June 12, 2018. See https://kb.juniper.net/JSA10919 for details.

EX2300-c High CPU utilization due to process rand_harvestq

EX2300-c exhibits high CPU due to the rand_harvesteq process after upgrade to 18.X Junos version. It also can result in a socket connection drop issue. This problem is fixed starting in the following releases: 18.1R2-S4, 18.2R3, 18.3R2, 18.4R1-S2 and 19.1R1.

In a Junos Fusion (MC-LAG based) deployment with dual Aggregation Devices (ADs) and dual-homed Satellite Devices (SDs) it may be possible for SDs to get into a state where LACP will not transmit to attached end/client devices.

When a Satellite Device (SD) boots up (powered on) it receives the SD configuration file from the Aggregation Devices (ADs). If the SD is configured to be dual-homed to both ADs (connections from one SD to both AD1/AD2) it will receive a configuration file which instructs the SD to communicate to both ADs. If one of the ADs is offline at the time the SD receives the configuration file specifying AD Redundancy then the SD will not be able to properly transmit LACP PDUs until it communicates and synchronizes with both ADs as specified in the received configuration.

Junos upgrade might fail with validate option after the /cf/var/sw directory is accidentally deleted.

If the directory /cf/var/sw is deleted by mistake, it may cause the future JUNOS upgrade failure when validate option is used.

On EX2300 with Q-in-Q "flexible-vlan-tagging" is unable to obtain DHCP IP for IRB after a reboot/power-cycle.

On EX2300 Series platforms, when the EX2300 acts as a DHCP client itself, it might not be able to obtain an IP address over the flexible-vlan-tagging configured interface for its IRB interface after the EX2300 is rebooted or power-cycled.

Default route configured gets deleted during ZTP

During Zero Touch Provisioning (ZTP) process, default route is being cleaned up by code. Due to this if a static default route is configured in the initial configuration (configuration file downloaded from the file server for ZTP), the route will fail to work. This might lead to ZTP failure or device access issue after ZTP.

Layer 3 ip route might be deleted after L2 next-hop change is seen.

On EX4300 platform, Layer 3 ip route would be deleted when L2 next-hop change is seen or PFE receives duplicate nexthop change messages (Examples can be the STP/LAG state change of interfaces). And it will cause traffic drop.

Junos OS: jdhcpd crash upon receipt of crafted DHCPv6 solicit message (CVE-2019-0037)

Junos OS: jdhcpd crash upon receipt of crafted DHCPv6 solicit message (CVE-2019-0037); Refer to https://kb.juniper.net/JSA10926 for more information.

QFX : error message 'Failed with error (-7) while deleting the trunk 1 on the device 0'

On QFX series switch, error message below would be seen when adding or removing local-bias setting on SP style LAG interface. %PFE-3: fpc0 Failed with error (-7) while deleting the trunk 1 on the device 0

The dhcp-security binding table might not be updated due to the renew request with '0.0.0.0' value in 'ciaddr'

In DHCP security scenario, if the DHCP renew request packet is of the broadcast message and with '0.0.0.0' value in 'ciaddr' field, the DHCP security binding table might not be updated. That binding information is present till its lease time expiry. After lease time expiry the binding information got deleted, which might result in traffic drop of the DHCP client at the old lease expiration time.

Junos OS: Firewall filter terms named "internal-1" and "internal-2" being ignored (CVE-2019-0036)

Junos OS: Firewall filter terms named "internal-1" and "internal-2" being ignored (CVE-2019-0036); Refer to https://kb.juniper.net/JSA10925 for more information.

WITHDRAWN: Junos OS: gRPC hardcoded credentials may allow unauthorized access to systems with Junos Network Agent installed (REJECTED)

NO RISK. CVE REJECTED. 04-11-2019: Further investigation has determined that this issue has no impact. While the credentials exist in affected releases there is no way to exploit this issue, and even if the issue were exploitable, there would be no impact. Refer to https://kb.juniper.net/JSA10923 for more information.

The best and the second-best routes might have the same weight value if BGP PIC is enabled

In BGP PIC (Prefix Independent Convergence) scenario, next-hop of unequal BGP multipath routes might have the same weight (0x1), resulting in unexpected load balance for traffic.

40 Gigabit Ethernet /100 Gigabit Ethernet ports may take a long time (about 30 seconds) to link up on SRX4600 platform.

SRX4600 platforms with 40/100 Gigabit QSFP ethernet ports link up time take long time(about 30s) after multiple times link down/up.

Junos OS: NFX150 Series, QFX10K Series, EX9200 Series, MX Series, PTX Series: Path traversal vulnerability in NFX150 and NG-RE leads to information disclosure (CVE-2019-0074)

A path traversal vulnerability in NFX150 Series and QFX10K Series, EX9200 Series, MX Series, and PTX Series devices with Next-Generation Routing Engine (NG-RE) allows a local authenticated user to read sensitive system files. Please refer to https://kb.juniper.net/JSA10975 for more information.

Junos OS: BGP packets can trigger rpd crash when BGP tracing is enabled. (CVE-2019-0019)

Junos OS: BGP packets can trigger rpd crash when BGP tracing is enabled. (CVE-2019-0019); Refer to https://kb.juniper.net/JSA10931 for more information.

PEM I2C Failure alarm might be showed incorrectly as failed

PEM I2C Failure alarm might be showed incorrectly as failed due to I2C transaction failure.

Fabric performance drop on MPC7/8/9E and SFB2 based MX2000 platform

On MPC7/8/9E and SFB2 based MX2000 Series platforms, code change done by PR 1336446 fixing MPC7/8/9E fabric re-ordering issue with SFB causes fabric performance drop. The throughput might not reach the expected value in high volume traffic scenario.

Junos OS: Insecure management daemon (MGD) configuration may allow local privilege escalation (CVE-2019-0061)

The Junos CLI communicates with MGD over an internal unix-domain socket and is granted special permission to open this protected mode socket. Due to a misconfiguration of the internal socket, a local, authenticated user may be able to exploit this vulnerability to gain administrative privileges.

Traffic forwarding failed when crossing VCF members

In VCF scenario, if one member of the VCF reboot, when transit unicast traffic across non-directly connected VCF members, traffic forwarding might fail.

The rpd crashes on static route configuration for multicast source

In multicast routing scenario using PIM, if configuring static route with qualified-next-hop for multicast source, process rpd might crash. This is because qualified-next-hop points to GF_DLI (Gateway Family Data Links) address which PIM is unable to process, resulting in the crash.

Junos OS: Insufficient validation of environment variables in telnet client may lead to stack-based buffer overflow (CVE-2019-0053)

In Junos OS, insufficient validation of environment variables in telnet client may lead to stack-based buffer overflow (CVE-2019-0053); Refer to https://kb.juniper.net/JSA10947 for more information.

Some Junos releases could not be installed successfully on EX2300-C platform

Due to a problem with the install process, following Junos releases for the EX2300-C platform could not be installed successfully: 18.1R3-S3 18.2R2-S1 18.2R2-S2 18.4R1 18.4R1-S1 These releases have been removed from the download page and will not be replaced. This problem affects only the EX2300-C platform. Previous and subsequent releases are not affected.

Junos OS: MX Series: An MPC10 Denial of Service (DoS) due to OSPF states transitioning to Down, causes traffic to stop forwarding through the device.

This issue only affects devices with three (3) or more MPC10's installed in a single chassis with OSPF enabled and configured on the device. An Insufficient Resource Pool weakness allows an attacker to cause the device's Open Shortest Path First (OSPF) states to transition to Down, resulting in a Denial of Service (DoS) attack.

Junos OS: OpenSSL Security Advisory [26 Feb 2019]

The OpenSSL project has published a security advisory for a vulnerability resolved in the OpenSSL library on February 28, 2019. Refer to https://kb.juniper.net/JSA10949 for more information.

IPv6 communication issue might be seen after passing through QFX10002-60C platforms

IPv6 neighbor solicitation packets for link-local address might be dropped when passing through QFX10002-60C via IRB interface. As a result, hosts inside VLANs could not communicate with each other using link-local addresses.