Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

18.2R2-S8: Software Release Notification for JUNOS Software Version 18.2R2-S8

0

0

Article ID: TSB17986 TECHNICAL_BULLETINS Last Updated: 04 Mar 2021Version: 2.0
Alert Type:
SRN - Software Release Notification
Product Affected:
ACX, EX, MX, PTX, QFX, NFX, SRX, VRR, vMX, vSRX
Alert Description:
NOTE: We are investigating an issue of a failed upgrade to 18.2R2-S8 on the MX10008 platform. We will provide an update as more detail is available.
In the meantime, we suggest that you do not upgrade MX10008 to this release. 2021-03-4

Junos Software Service Release version 18.2R2-S8 is now available for download from the Junos software download site

Download Junos Software Service Release:
  1. Go to Junos Platforms - Download Software page
  2. Input your product in the "Find a Product" search box
  3. From the Type/OS drop-down menu, select Junos SR
  4. From the Version drop-down menu, select your version
  5. Click the Software tab
  6. Select the Install Package as need and follow the prompts
Solution:

Junos Software service Release version 18.2R2-S8 is now available.

18.2R2-S8 - List of Fixed issues
PR Number Synopsis Category: QFX L3 data-plane/forwarding
1495890 On the EX4300-MP and EX4600 devices, high CPU load due to receipt of specific Layer 2 frames in EVPN-VXLAN deployment.
Product-Group=junos
JSA11084 Junos OS: EX4300-MP/EX4600/QFX5K Series: High CPU load due to receipt of specific layer 2 frames in EVPN-VXLAN deployment. (CVE-2020-1687): On Juniper Networks EX4300-MP Series, EX4600 Series and QFX5K Series deployed in (Ethernet VPN) EVPN-(Virtual Extensible LAN) VXLAN configuration, receipt of a stream of specific VXLAN encapsulated layer 2 frames can cause high CPU load, which could lead to network protocol operation issue and traffic interruption. Refer to https://kb.juniper.net/JSA11084 for more information. JSA11086 Junos OS: EX4300-MP/EX4600/QFX5K Series: High CPU load due to receipt of specific layer 2 frames when deployed in a Virtual Chassis configuration (CVE-2020-1689) On Juniper Networks EX4300-MP Series, EX4600 Series and QFX5K Series deployed in a Virtual Chassis configuration, receipt of a stream of specific layer 2 frames can cause high CPU load, which could lead to traffic interruption. This issue does not occur when the device is deployed in Stand Alone configuration. Refer to https://kb.juniper.net/JSA11086 for more information.
PR Number Synopsis Category: Border Gateway Protocol
1398700 The process rpd might crash in BGP setup with NSR enabled.
Product-Group=junos
The routing protocol daemon (rpd) may restart when BGP teardown a peer when the peer's "prefix-limit" is exceeded. This issue is applicable when the "non-stop-routing" feature is configured.
PR Number Synopsis Category: Track PRs in BGP Flow Spec area & is part of BGP inside RPD.
1539109 Junos OS and Junos OS Evolved: Upon receipt of a specific BGP FlowSpec message network traffic may be disrupted. (CVE-2021-0211)
Product-Group=junos
Upon receipt of a specific BGP FlowSpec message network traffic may be disrupted. Please refer to https://kb.juniper.net/JSA11101 for more information.
PR Number Synopsis Category: MPC5/6E pfe microcode software
1459698 Silent dropping of traffic upon interface flapping after DRD auto-recovery
Product-Group=junos
An interface stops forwarding traffic when MX software triggers a "DRD reorder timeout recovery" event followed by an interface flap on the same XM-chip. When the logic is triggered, message "cmtfpc_xmchip_drd_reorder_id_timeout_callback" will be reported in the PFE syslog messages. This issue affects XM-chip based MPCs (MPC3E/4E/5E/6E/2E-NG/3E-NG).
PR Number Synopsis Category: MX-ELM l2ng stormcontrol
1552815 The knob 'action-shutdown' of storm control does not work for ARP broadcast packets
Product-Group=junos
With knob 'action-shutdown' configured in storm control scenario, the interface will not go to shutdown state if ARP storm exceeds the configured limit. The excess packets will be dropped normally.
PR Number Synopsis Category: OpenSSH and related subsystems
1454177 The SSH login might fail if a user account exists in both the local database and RADIUS/TACACS+.
Product-Group=junos
SSH login from an automation tool to the Junos OS device might not be successful if the username is configured both as a local user and on remote RADIUS/TACACS server, and using authentication method 'password'.
PR Number Synopsis Category: Device Configuration Daemon
1519334 Buffer overflow vulnerability in a device control daemon is observed.
Product-Group=junos
A stack buffer overflow vulnerability in the device control daemon (DCD) on Juniper Networks Junos OS allows a low privilege local user to create a Denial of Service (DoS) against the daemon or execute arbitrary code in the system with root privilege. Please refer to https://kb.juniper.net/JSA11061 for more information.
PR Number Synopsis Category: This is for all defects raised against dns-proxy feature
1512212 Junos OS: SRX Series: ISC Security Advisory: BIND does not sufficiently limit the number of fetches performed when processing referrals (CVE-2020-8616)
Product-Group=junos
On Juniper Networks Junos OS SRX Series devices an uncontrolled resource consumption vulnerability in BIND may allow an attacker to cause a Denial of Service (DoS) condition. When these devices are configured to use DNS Proxy, these devices do not sufficiently limit the number of fetches performed when processing referrals. In order for a server performing recursion to locate records in the DNS graph it must be capable of processing referrals, such as those received when it attempts to query an authoritative server for a record which is delegated elsewhere. In its original design BIND (as well as other nameservers) does not sufficiently limit the number of fetches which may be performed while processing a referral response. A malicious actor who intentionally exploits this lack of effective limitation on the number of fetches performed when processing referrals can, through the use of specially crafted referrals, cause a recursing server to issue a very large number of fetches in an attempt to process the referral. Refer to https://kb.juniper.net/JSA11090 for more information.
PR Number Synopsis Category: Express PFE including evpn, vxlan
1518537 Junos OS: QFX10K Series: Traffic loop Denial of Service (DoS) upon receipt of specific IP multicast traffic (CVE-2021-0221)
Product-Group=junos
In an EVPN/VXLAN scenario, if an IRB interface with a virtual gateway address (VGA) is configured on a PE, a traffic loop may occur upon receipt of specific IP multicast traffic. The traffic loop will cause interface traffic to increase abnormally, ultimately leading to a Denial of Service (DoS) in packet processing. Please refer to https://kb.juniper.net/JSA11111 for more information.
PR Number Synopsis Category: Express PFE Services including JTI, TOE, HostPath, Jflow
1495788 Junos OS: PTX/QFX Series: Kernel Routing Table (KRT) queue stuck after J-Flow sampling a malformed packet (CVE-2020-1679)
Product-Group=junos
On Juniper Networks PTX/QFX Series devices, J-Flow sampling of a malformed packet can cause the Kernel Routing Table (KRT) queue to become stuck. KRT is the module within the Routing Process Daemon (RPD) that synchronized the routing tables with the forwarding tables in the kernel. This table is then synchronized to the Packet Forwarding Engine (PFE) via the KRT queue. Thus, when KRT queue become stuck, it can lead to unexpected packet forwarding issues. Refer to https://kb.juniper.net/JSA11076 for more information.
PR Number Synopsis Category: jdhcpd daemon
1511782 Receipt of malformed DHCPv6 packets causes jdhcpd to crash (CVE-2020-1671).
Product-Group=junos
On Juniper Networks Junos OS platforms configured as DHCPv6 local server or DHCPv6 Relay Agent, Juniper Networks Dynamic Host Configuration Protocol Daemon (JDHCPD) process might crash with a core dump if a malformed DHCPv6 packet is received, resulting with the restart of the daemon. Refer to https://kb.juniper.net/JSA11068 for more information.
PR Number Synopsis Category: IPSEC/IKE VPN
977435 Junos OS: SRX Series: An attacker sending spoofed packets to IPSec peers may cause a Denial of Service. (CVE-2020-1657)
Product-Group=junos
On SRX Series devices, a vulnerability in the key-management-daemon (kmd) daemon of Juniper Networks Junos OS allows an attacker to spoof packets targeted to IPSec peers before a security association (SA) is established thereby causing a failure to set up the IPSec channel; Refer to https://kb.juniper.net/JSA11050 for more information.
PR Number Synopsis Category: Security platform jweb support
1518212 Junos OS: Privilege escalation in J-Web due to arbitrary command and code execution via information disclosure from another users active session (CVE-2021-0210)
Product-Group=junos
An Information Exposure vulnerability in J-Web of Juniper Networks Junos OS allows an unauthenticated attacker to elevate their privileges over the target system through opportunistic use of an authenticated users session. Please refer to https://kb.juniper.net/JSA11100 for more information.
PR Number Synopsis Category: PTX1000 platform
1401507 The TCP connection for external or internal might be dropped due to a kernel issue
Product-Group=junos
Due to a kernel issue, any TCP connection, either the external TCP carrying like BGP or internal TCP like the connection between ppmd in RE and ppman in PFE might be dropped. It will result in the relevant session going down.
PR Number Synopsis Category: Port-based link layer security services and protocols that a
1503010 The replay protection window size is wrongly set if replay-protect for MACsec is enabled with replay-window-size value set to zero
Product-Group=junos
If replay-protect for MACsec is enabled with replay-window-size value set to zero, the size of the replay protection window is wrongly set to max window size.
PR Number Synopsis Category: IDS features available on MS-MPC/MIC
1536100 Junos OS: MX Series: Dynamic filter fails to match IPv6 prefix (CVE-2021-0205)
Product-Group=junos
When the "Intrusion Detection Service" (IDS) feature is configured on Juniper Networks MX series with a dynamic firewall filter using IPv6 source or destination prefix, it may incorrectly match the prefix as /32, causing the filter to block unexpected traffic. Refer to https://kb.juniper.net/JSA11095 for more information.
PR Number Synopsis Category: "ifstate" infrastructure
1439906 On all Junos OS VM based platforms, FPC might reboot if jlock hog occurs.
Product-Group=junos
On a JUNOS VM using TSC clocking from the host system, "jlock hog" messages may be seen. This may lead to FPCs reboot.
PR Number Synopsis Category: JUNOS Network App Infrastructure (for ping, traceroute, etc)
1502386 Arbitrary code execution vulnerability in telnet server (CVE-2020-10188).
Product-Group=junos
A vulnerability in the telnetd Telnet server allows remote attackers to execute arbitrary code via short writes or urgent data, because of a buffer overflow involving the netclear and nextitem functions. Refer to https://kb.juniper.net/JSA11057 for more information.
PR Number Synopsis Category: vMX CoS issues
1433912 Traffic loss might happen when L2TP LNS si interface with CoS configuration is enabled
Product-Group=junos
In the L2TP subscriber access network scenario, when the traffic passes via L2TP LNS si interface (L2TP network server (LNS) inline service interfaces) which enabled dynamic CoS configuration, the loopback device that corresponds to si interface will handle this traffic in the flow cache. If the CoS lcore dump file occurs, the traffic might be lost since the vFPC might not cache this flow.
PR Number Synopsis Category: vMX Data Plane Issues
1401224 The RIOT may crash and cause traffic loss in case of oversubscription with X710 card on the VMX platform
Product-Group=junos
In vMX over COT servers scenario, packets are handed by RIOT, which uses i40evf (Intel 10/40GbE Virtual Function) PMD (Poll mode driver) for 10G/40G interfaces. In case of oversubscription, the VF driver might hit an error in packet reception. To increase packet stats, VF driver tries to refer some structure that is not populated, then the RIOT crashes and causes the traffic loss. This is a bug in i40evf driver.
1449014 IPv6 packets might get dropped when vMX acts as a VRRPv3 gateway.
Product-Group=junos
IPv6 VRRP MAC address is not handled correctly by VFP (virtual forwarding plane). If the IPv6 traffic throughput is beyond the bandwidth of this slow path, the IPv6 packets might be dropped.
1483224 Malformed packet causes one of the LACP AE (Aggregated Ethernet) interfaces to stop forwarding on vMX
Product-Group=junos
Only on vMX platform, when one of LACP links interface receives the malformed packet (such as runt packet), it might cause a PF reset which leads to the interface stop forwarding traffic.
PR Number Synopsis Category: vMX Platform Infrastructure related issue tracking
1423575 Junos OS: vMX and MX150: Denial of Service vulnerability in packet processing (CVE-2020-1627)
Product-Group=junos
A vulnerability in Juniper Networks Junos OS on vMX and MX150 devices may allow an attacker to cause a Denial of Service (DoS) by sending specific packets requiring special processing in microcode that the flow cache can't handle, causing the riot forwarding daemon to crash. By continuously sending the same specific packets, an attacker can repeatedly crash the riot process causing a sustained Denial of Service. Refer to https://kb.juniper.net/JSA11006 for more information.
1548422 Traffic with jumbo frame may be discarded on the vMX platforms
Product-Group=junos
On the VMX platforms which are installed on ESXI 6.7 with vmxnet3 driver, traffic with jumbo frame (Packets with MTU more than 1500) may be discarded upon receiving.
PR Number Synopsis Category: VMX wrlinux changes
1452915 The VMX might drop packets that are needed for fragmentation
Product-Group=junos
On the VMX platform, if the traffic mixes packets that need to be fragmented and does not need to be fragmented, the packet needed for fragmentation is 100% dropped.
1475381 The "tcp-mss" configuration might not work for LNS subscribers and IP traffic on the vMX platforms
Product-Group=junos
When the "tcp-mss" is configured for L2TP-LNS subscribers or enabled for pure IP traffic on the vMX platforms, only the initial TCP SYN packet will be adjusted correctly with configured TCP-MSS, and the rest TCP SYN packets will not be adjusted correctly. Because of that, large size packets will get dropped if the set tcp-mss is smaller than the value in original TCP SYN packets.
PR Number Synopsis Category: platform related PRs on SRX branch platforms
1512810 Junos OS: SRX Series: A logic error in BIND can be used to trigger a Denial of Service (DoS) (CVE-2020-8617)
Product-Group=junos
A vulnerability in BIND code, used in Juniper Networks Junos OS on SRX Series devices, which checks the validity of messages containing TSIG resource records can be exploited by an attacker to trigger an assertion failure in tsig.c, resulting in a Denial of Service (DoS). Refer to https://kb.juniper.net/JSA11091 for more information.
PR Number Synopsis Category: MPC7/8/9 Interface Issues
1441816 Egress stream flush failure and traffic black hole might occur.
Product-Group=junos
Egress stream flush failure and silent dropping of traffic could occur in a rare occasion for a repeatedly flapping link on MPC7E, MPC8E, MPC9E cards, MX204 and MX10003.
PR Number Synopsis Category: MX10003/MX204 MPC defects tracking
1474231 MX10000 QSA adapter lane 0 port goes in the down state when disabling one of the other lanes.
Product-Group=junos
When QSA adapter is installed, the Lane 0 port might be also in down state when disabling one of the other lanes (1, 2 or 3) due to the chan number not entertained. It is not expected behaviour and it might affect service.
PR Number Synopsis Category: UI Infrastructure - mgd, DAX API, DDL/ODL
1519337 Junos OS: Command injection vulnerability in 'request system software' CLI command (CVE-2021-0219)
Product-Group=junos
A command injection vulnerability in install package validation subsystem of Juniper Networks Junos OS that may allow a locally authenticated attacker with privileges to execute commands with root privilege. To validate a package in Junos before installation, an administrator executes the command 'request system software add validate-on-host' via the CLI. An attacker with access to this CLI command may be able to exploit this vulnerability. Please refer to https://kb.juniper.net/JSA11109 for more information.
1529210 Junos OS: dexp Local Privilege Escalation vulnerabilities in SUID binaries (CVE-2021-0204)
Product-Group=junos
A sensitive information disclosure vulnerability in delta-export configuration utility (dexp) of Juniper Networks Junos OS may allow a locally authenticated shell user the ability to create and read database files generated by the dexp utility, including password hashes of local users. Please refer to https://kb.juniper.net/JSA11114 for more information.
PR Number Synopsis Category: PTX/QFX10002/8/16 specific software components
1452604 PLL errors might be seen after FPC reboots or restarts.
Product-Group=junos
On MX10008/MX10016 platforms, when FPC reboot or restart by any means, PLL_CMERROR_MPC_LMK04906_WAN_LD and PLL_CMERROR_MPC_LMK04906_WAN_LOS errors might be seen shortly after the FPC comes back online.
 

18.2R2-S8 - List of Known issues
PR Number Synopsis Category: EX9200 Platform
1448368 On the EX9214 device, the following error message are observed after reboot and MACsec-enabled link flaps: errorlib_set_error_log(): err_id(-1718026239).
Product-Group=junos
On the EX9214 device, if the MACsec-enabled link flaps after reboot, the error "errorlib_set_error_log(): err_id(-1718026239)" is observed.
PR Number Synopsis Category: NFX Series Platform Software
1462556 Junos OS: NFX350: Password hashes stored in world-readable format (CVE-2020-1669)
Product-Group=junos
The Juniper Device Manager (JDM) container, used by the disaggregated Junos OS architecture on Juniper Networks NFX350 Series devices, stores password hashes in the world-readable file /etc/passwd. This is not a security best current practice as it can allow an attacker with access to the local filesystem the ability to brute-force decrypt password hashes stored on the system. Refer to https://kb.juniper.net/JSA11066 for more information.
PR Number Synopsis Category: MX-ELM l2ng stormcontrol
1552815 The knob 'action-shutdown' of storm control does not work for ARP broadcast packets
Product-Group=junosvae
With knob 'action-shutdown' configured in storm control scenario, the interface will not go to shutdown state if ARP storm exceeds the configured limit. The excess packets will be dropped normally.
PR Number Synopsis Category: EA chip ( MQSS SW issues )
1444963 Routing Engine-generated jumbo frames might get dropped.
Product-Group=junos
RE generated jumbo frames might get dropped due to incorrect MTU setting on the internal switch
PR Number Synopsis Category: Interface Information Display
1439440 Mgd processes increases because the mgd processes are not closed properly.
Product-Group=junos
On SRX Series platforms, sometimes the mgd processes are not properly closed. As a result, many mgd instances are unnecessarily left running.
PR Number Synopsis Category: Layer 2 Control Module
1561235 The l2cpd core might be seen on reboot
Product-Group=junos
When xSTP is used, the l2cpd core might be seen on reboot. This will be a one-time core and will not impact on functionality.
PR Number Synopsis Category: Kernel Stats Infrastructure
1482379 Junos OS: Memory leak leads to kernel crash (vmcore) due to SNMP polling (CVE-2020-1683)
Product-Group=junos
On Juniper Networks Junos OS devices, a specific SNMP OID poll causes a memory leak which over time leads to a kernel crash (vmcore). Refer to https://kb.juniper.net/JSA11080 for more information.
PR Number Synopsis Category: Resource Reservation Protocol
1242558 Stale LSPs might exist if the primary LSP goes down immediately after bypass LSP
Product-Group=junos
If the primary link goes down immediately after bypass (for example, FPC containing both primary and bypass, or both primary and bypass FPCs go down simultaneously) such that primary link goes down even before the PLR sends out any path message after bypass down, then the nodes downstream of the PLR along the LSP path will be left with stale LSP state until refresh timeout. This condition will not result in any traffic loss.
PR Number Synopsis Category: Virtual Router Redundancy Protocol
1558560 Junos device might send VRRP advertisement packets in VRRP init or idle state before startup-silent-period timer expiry after performing GRES on VRRP master device with NSR disabled
Product-Group=junos
If VRRP master device has dual Routing Engines (REs) and GRES enabled but nonstop-routing (NSR) disabled, after performing GRES, both REs will move to VRRP init then idle state and the new master RE will send VRRP advertisement packets in this stage before startup-silent-period timer expiry. Since the VRRP backup device can still receive the VRRP advertisement packets with higher priority, it will not transition to VRRP master state and hence cause the longer traffic downtime until the VRRP master device re-take the VRRP mastership after startup-silent-period timer expiry.
Modification History:
2021-03-04 - Update with a note not recommend upgrading MX10008 to this software release
First publication - 2021-02-26
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search