Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

18.3R2-S4: Software Release Notification for JUNOS Software Version 18.3R2-S4

0

0

Article ID: TSB17866 TECHNICAL_BULLETINS Last Updated: 25 Sep 2020Version: 1.0
Alert Type:
SRN - Software Release Notification
Product Affected:
ACX, EX, MX, PTX, QFX, NFX, SRX, VRR, vMX, vSRX
Alert Description:
Junos Software Service Release version 18.3R2-S4 is now available for download from the Junos software download site
Download Junos Software Service Release:
  1. Go to Junos Platforms - Download Software page
  2. Input your product in the "Find a Product" search box
  3. From the Type/OS drop-down menu, select Junos SR
  4. From the Version drop-down menu, select your version
  5. Click the Software tab
  6. Select the Install Package as need and follow the prompts
Solution:
Warning: With VPLS/Bridge-Domain environment, an MX/EX9200 Series router with Trio-based MPCs. The MPCs may experience NH memory leak in the PFEs when using integrated routing and bridging (IRB) interface participating in the VPLS/Bridge-domain instance.

Junos Software service Release version 18.3R2-S4 is now available.

18.3R2-S4 - List of Fixed issues

PR Number Synopsis Category: EX4300 Platform
1502726 On the EX4300 device, traffic loss might be seen with framing errors or runts if MACsec is configured.
Product-Group=junos
On EX4300 platform with Media Access Control Security (MACsec) configured, if there is high traffic flowing through the MACsec enabled link, increasing framing errors or runts statistics might be seen in the output of "show interfaces extensive <>" for the affected interface. Traffic loss might also happen due to this issue.
PR Number Synopsis Category: EX2300/3400 platform
1477165 EX3400 me0 interface might remain down
Product-Group=junos
The me0 interface of EX3400 does not come up when connected to 100m speed interface.
PR Number Synopsis Category: QFX Access control list
1521763 Firewall "sample" configuration gives the warning as unsupported on QFX10002-36q and will not work.
Product-Group=junos
On QFX10002-36q, when inline-jflow is configured, the IPv4 firewall filter with 'sample' action gives a waring "unsupported platform" and will not work. On the other hand, the IPv6 firewall filter with 'sample' action will still work as expected.
PR Number Synopsis Category: QFX PFE L2
1474142 Traffic might get affected if the composite next-hop is enabled.
Product-Group=junos
On QFX5000 and EX4600 platforms with composite next hop enabled, traffic loss would occur when deleting leaked routes with composite next hop.
PR Number Synopsis Category: JUNOS kernel/ukernel changes for ACX
1509402 PFE crash might be seen and the FPC may remain down on ACX710 platform
Product-Group=junos
On ACX710 platform, after the PTP(Precision Time Protocol) configuration is removed and the router is rebooted, the PFE might crash and the FPC remains down if PTP traffic is still coming into the router. This issue might also happen when SyncE is configured. This causes the router to crash and not come up.
PR Number Synopsis Category: common or misc area for SRX product
1490181 SRX1500 and SRX4K devices might boot up with rescue configuration after a power outage occurs
Product-Group=junos
After a power outage occurs, SRX1500 and SRX4K devices might load rescue configuration in order to boot up successfully.
PR Number Synopsis Category: Border Gateway Protocol
1481641 Junos OS and Junos OS Evolved: RPD crash due to specific BGP UPDATE packets (CVE-2020-1644)
Product-Group=junos
On Juniper Networks Junos OS and Junos OS Evolved devices, the receipt of a specific BGP UPDATE packet causes an internal counter to be incremented incorrectly, which over time can lead to the routing protocols process (RPD) crash and restart. Please refer to https://kb.juniper.net/JSA11032 for more information.
1497721 Junos OS: Receipt of certain genuine BGP packets from any BGP Speaker causes RPD to crash. (CVE-2020-1640)
Product-Group=junos
An improper use of a validation framework when processing incoming genuine BGP packets within Juniper Networks RPD (routing protocols process) daemon allows an attacker to crash RPD thereby causing a Denial of Service (DoS) condition. Refer to https://kb.juniper.net/JSA11024 for more information.
PR Number Synopsis Category: OpenSSL and related subsystems
1479780 OpenSSL Security Advisory [20 Dec 2019]
Product-Group=junos
The OpenSSL project has published a security advisory for a vulnerability resolved in the OpenSSL library on December 20, 2019. Refer to https://kb.juniper.net/JSA11025 for more information.
PR Number Synopsis Category: Express PFE L2 fwding Features
1427994 The dcpfe process might crash and restart in MC-LAG scenario when the ARP/NDP next-hop is changed
Product-Group=junos
On QFX10002/QFX10008/QFX10016 Series platforms with enhanced MC-LAG scenario, the dcpfe process might crash and restart if the ARP/NDP next-hop is changed.
PR Number Synopsis Category: Flow Module
1465286 SRX Series: Double free vulnerability can lead to DoS or remote code execution due to the processing of a specific HTTP message when ICAP redirect service is enabled (CVE-2020-1647)
Product-Group=junos
On Juniper Networks SRX Series with ICAP (Internet Content Adaptation Protocol) redirect service enabled, a double free vulnerability can lead to a Denial of Service (DoS) or Remote Code Execution (RCE) due to processing of a specific HTTP message. Refer to https://kb.juniper.net/JSA11034 for more information.
PR Number Synopsis Category: JSR Application Services
1460035 Junos OS: SRX Series: processing a malformed HTTP message when ICAP redirect service is enabled may can lead to flowd process crash or remote code execution (CVE-2020-1654)
Product-Group=junos
On Juniper Networks SRX Series with ICAP (Internet Content Adaptation Protocol) redirect service enabled, processing a malformed HTTP message can lead to a Denial of Service (DoS) or Remote Code Execution (RCE). Refer to https://kb.juniper.net/JSA11031 for more information.
PR Number Synopsis Category: Security platform jweb support
1499280 Junos OS: Security vulnerability in J-Web and web-based (HTTP/HTTPS) services
Product-Group=junos
Junos OS: Security vulnerability in J-Web and web-based (HTTP/HTTPS) services (CVE-2020-1631). Refer to https://kb.juniper.net/JSA11021 for more information.
PR Number Synopsis Category: Layer2 forwarding on EX/NTF/PTX/QFX
1406691 Some interfaces of aggregated Ethernet bundle might go to the Detached state after the bulk configurations change.
Product-Group=junos
On QFX5000 platforms with scaled setup of the aggregated Ethernet (ae) bundles and VLANs, if Link Aggregation Control Protocol (LACP) is enabled, and there are scaled configuration changes, for example, delete 4000 VLANS/VXLANs and reapply them again, some interfaces of ae bundle might go to the detached state. Due to this issue, the running routing protocols (for example, LACP and BGP) will go down over the affected ae bundles.
PR Number Synopsis Category: Multiprotocol Label Switching
1517018 The rpd might crash after upgrading Junos software release from pre 18.1 to 18.1 onwards
Product-Group=junos
On all Junos platforms, the rpd might continuously crash after upgrading Junos software release from pre 18.1 to 18.1 onwards while graceful-restart and RSVP/static LSP are configured. This is because there is a change in the data structure written to the restart db file from 18.1 onwards. So, when rpd comes up and tries to read the restart db file written by pre 18.1 release image, the rpd might crash.
PR Number Synopsis Category: DNS filtering on MX.
1474056 Junos OS: MX Series: Services card might restart when DNS filtering is enabled (CVE-2020-1645)
Product-Group=junos
When DNS filtering is enabled on Juniper Networks Junos MX Series with one of the following cards MS-PIC, MS-MIC or MS-MPC, an incoming stream of packets processed by the Multiservices PIC Management Daemon (mspmand) process, responsible for managing "URL Filtering service", may crash, causing the Services PIC to restart. Refer to https://kb.juniper.net/JSA11028 for more information.
PR Number Synopsis Category: OS IPv4/ARP/ICMPv4
1468183 Junos OS: Kernel crash (vmcore) or FPC crash due to mbuf leak (CVE-2020-1653)
Product-Group=junos
On Juniper Networks Junos OS devices, a stream of TCP packets sent to the Routing Engine (RE) may cause mbuf leak which can lead to Flexible PIC Concentrator (FPC) crash or the system to crash and restart (vmcore). Refer to https://kb.juniper.net/JSA11040 for more information.
PR Number Synopsis Category: FreeBSD Kernel Infrastructure
1505864 The installation fails when upgrading from legacy Junos to specific BSDx based Junos
Product-Group=junos
The installation might fail when upgrading from legacy Junos (before Junos 15.1) to higher BSDx based Junos releases (Junos 15.1 and after).
1518898 The kernel might crash if a file/directory is accessed for the first time and is not created locally
Product-Group=junos
On the Junos with Virtual Filesystem (VirtFS), if a file/directory is accessed for the first time and is not created locally, the kernel might crash and generate a vmcore file. Junos might reboot due to this issue.
PR Number Synopsis Category: Generic platform and infra issues for MS-MIC and MS-MPC(XLP)
1453811 Delay in freeing processed defragment buffers lead to prolonged flow control and might crash.
Product-Group=junos
On Juniper Networks Junos MX Series with service card configured, receipt of a stream of specific packets may crash the MS-PIC component on MS-MIC or MS-MPC. Refer to https://kb.juniper.net/JSA11037 for more information.
PR Number Synopsis Category: TRIO Interface based services
1465490 On MPC7, MPC8, and MPC9, WO packet error and FPC major alarm are observed when reassembling the small fragments.
Product-Group=junos
When a device is running Juniper Networks Junos OS with MPC7, MPC8, or MPC9 line cards installed and the system is configured for inline IP reassembly, used by L2TP, MAP-E, and GRE, the Packet Forwarding Engine is disabled upon receipt of small fragments requiring reassembly. Refer to https://kb.juniper.net/JSA11036 for more information.
PR Number Synopsis Category: Trio pfe l3 forwarding issues
1474154 Junos OS: MX Series: PFE crash on MPC7/8/9 upon receipt of large packets requiring fragmentation (CVE-2020-1655)
Product-Group=junos
When a device is running Juniper Networks Junos OS with MPC7, MPC8, or MPC9 line cards installed and the system is configured for inline IP reassembly, used by MAP-E, the Packet Forwarding Engine is disabled upon receipt of large packets requiring fragmentation. Refer to https://kb.juniper.net/JSA11041 for more information.
 

18.3R2-S4 - List of Known issues

PR Number Synopsis Category: IPSEC/IKE VPN
1517262 The flowd might crash in IPsec VPN scenario
Product-Group=junos
On SRX platforms with IPsec VPN configured, the flowd might crash during the IPsec VPN rekey window. The traffic/service might be impacted if hitting this issue.
PR Number Synopsis Category: QFX L2 PFE
1454095 Changing the VLAN name associated with the access ports might prevent the MAC addresses from being learned under the EVPN-VXLAN scenario.
Product-Group=junos
On the QFX5k platform with EVPN-VXLAN configured, if the VLAN name associated with access ports is changed, then the virtual bridge domain may not be created. Due to this, the MAC addresses will not be learned. This issue will cause traffic loss.
1475005 The system might stop new MAC learning and impact the Layer 2 traffic forwarding.
Product-Group=junos
On QFX platforms, if there are a lot of MAC moves, the system might stop new MAC learning and lots of old MAC addresses might be stuck and couldn't be aged and deleted. Due to this issue, could have impact on layer 2 traffic forwarding and the customer service.
 
Modification History:
First publication 2020-09-25
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search