Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

19.4R2-S4: Software Release Notification for JUNOS Software Version 19.4R2-S4

0

0

Article ID: TSB18040 TECHNICAL_BULLETINS Last Updated: 05 May 2021Version: 1.0
Alert Type:
SRN - Software Release Notification
Product Affected:
ACX, EX, MX, PTX, QFX, NFX, SRX, VRR, vMX, vSRX
Alert Description:
Junos Software Service Release version 19.4R2-S4 is now available for download from the Junos software download site
Download Junos Software Service Release:
  1. Go to Junos Platforms - Download Software page
  2. Input your product in the "Find a Product" search box
  3. From the Type/OS drop-down menu, select Junos SR
  4. From the Version drop-down menu, select your version
  5. Click the Software tab
  6. Select the Install Package as need and follow the prompts
Solution:

Junos Software service Release version 19.4R2-S4 is now available.

19.4R2-S4 - List of Fixed issues
PR Number Synopsis Category: EX2300/3400 platform
1535106 EX2300/EX3400 : RTC ERROR and SETTIME failed messages is seen
Product-Group=junos
On EX2300 and EX3400 series, you may observe RTC ERROR and SETTIME failed message sometimes without trigger.
PR Number Synopsis Category: EX-Series VC Infrastructure
1573173 EX4600/EX4300 mixed VC : Error message 'ex_bcm_pic_eth_uint8_set' is seen when changing config related to interface.
Product-Group=junos
On EX4600/EX4300 mixed VC, error message, 'ex_bcm_pic_eth_uint8_set' could be seen whenever changing interface configuration.
PR Number Synopsis Category: QFX PFE MPLS
1528409 Junos OS: EX4300-MP/EX4600/EX4650/QFX5K Series: Packet Forwarding Engine manager (FXPC) process crashes when deployed in a Virtual Chassis (VC) configuration (CVE-2021-0237)
Product-Group=junos
On Juniper Networks EX4300-MP Series, EX4600 Series, EX4650 Series, QFX5K Series deployed as a Virtual Chassis with a specific Layer 2 circuit configuration, Packet Forwarding Engine manager (FXPC) process may crash and restart upon receipt of specific layer 2 frames. Refer to https://kb.juniper.net/JSA11132 for more information.
PR Number Synopsis Category: Border Gateway Protocol
1492743 The BGP route-target family might prevent the route reflector from reflecting Layer 2 VPN and Layer 3 VPN routes.
Product-Group=junos
If the user only sets protocols bgp local-as <> without configuring routing-options autonomous-system <> or having a different autonomous-system number than local-as, the iBGP Route-Reflector (RR) will treat the route-target (RT) routes from iBGP neighbor PEs as an external prefix, and by default, the external peer number is limited to one for a given Route Target, in this case, the Route-Reflector might not reflect L2VPN and L3VPN prefixes to some iBGP clients advertised the same RT prefixes.
1538491 Configuring then next hop and then reject on a route policy for the same route might cause the rpd process to crash.
Product-Group=junos
On all Junos platforms with BGP enabled, if a policy is setting 'then next-hop' and 'then reject' at the same time for the same prefix, rpd crash might be seen. Like the following: set policy-options policy-statement xxx term 1 from route-filter xxx set policy-options policy-statement xxx term 1 then next-hop ... set policy-options policy-statement xxx term 2 then reject
PR Number Synopsis Category: Track PRs in BGP Flow Spec area & is part of BGP inside RPD.
1537085 Junos OS: A specific BGP VPNv6 flowspec message causes routing protocol daemon (rpd) process to crash with a core (CVE-2021-0236)
Product-Group=junos
Due to an improper check for unusual or exceptional conditions in Juniper Networks Junos OS and Junos OS Evolved the Routing Protocol Daemon (RPD) service, upon receipt of a specific matching BGP packet meeting a specific term in the flowspec configuration, crashes and restarts causing a Denial of Service (DoS). Continued receipt and processing of this packet will create a sustained Denial of Service (DoS) condition. Refer to https://kb.juniper.net/JSA11131 for more information.
PR Number Synopsis Category: MX Platform SW - UI management
1498538 SNMP polling does not show correct PSM jnxOperatingState when one of the PSM inputs failed.
Product-Group=junos
SNMP polling does not show correct PSM jnxOperatingState when one of the PSM Inputs failed or not exists
PR Number Synopsis Category: MX-ELM l2ng stormcontrol
1552815 The statement 'action-shutdown' of storm control does not work for ARP broadcast packets.
Product-Group=junos
With knob 'action-shutdown' configured in storm control scenario, the interface will not go to shutdown state if ARP storm exceeds the configured limit. The excess packets will be dropped normally.
PR Number Synopsis Category: QFX Control Plane VXLAN
1548415 Junos OS: Remote code execution vulnerability in overlayd service (CVE-2021-0254)
Product-Group=junos
A buffer size validation vulnerability in the overlayd service of Juniper Networks Junos OS may allow an unauthenticated remote attacker to send specially crafted packets to the device, triggering a partial Denial of Service (DoS) condition, or leading to remote code execution (RCE). Continued receipt and processing of these packets will sustain the partial DoS. Please refer to https://kb.juniper.net/JSA11147 for more information.
PR Number Synopsis Category: Ethernet OAM (LFM)
1529209 Junos OS: ethtraceroute Local Privilege Escalation vulnerabilities in SUID binaries (CVE-2021-0255)
Product-Group=junos
A local privilege escalation vulnerability in ethtraceroute Ethernet OAM utility of Juniper Networks Junos OS may allow a locally authenticated user with shell access to escalate privileges and write to the local filesystem as root. Please refer to https://kb.juniper.net/JSA11175 for more information.
PR Number Synopsis Category: EVPN Layer-2 Forwarding
1535515 All the ARP reply packets toward some address are flooded across the entire fabric.
Product-Group=junos
In the EVPN-VXLAN scenario, if the spine has irb and the leaves don't have irb, and the leaves have multi-home interfaces, the ARP reply packets flooding across the entire fabric might be seen.
PR Number Synopsis Category: Express PFE L2 fwding Features
1486614 Junos OS: QFX10002-32Q, QFX10002-60C, QFX10002-72Q, QFX10008, QFX10016: In EVPN-VXLAN scenarios receipt of specific genuine packets by an adjacent attacker will cause a kernel memory leak in FPC. (CVE-2021-0272)
Product-Group=junos
A kernel memory leak in QFX10002-32Q, QFX10002-60C, QFX10002-72Q, QFX10008, QFX10016 devices Flexible PIC Concentrators (FPCs) on Juniper Networks Junos OS allows an attacker to send genuine packets destined to the device to cause a Denial of Service (DoS) to the device. Please refer https://kb.juniper.net/JSA11163 for more information.
PR Number Synopsis Category: ISIS routing protocol
1482983 The output of the show isis interface detail command might be incorrect if wide-metrics-only is enabled for IS-IS and the ASCII representation of the metric in decimal is more than 6 characters long.
Product-Group=junos
If 'wide-metrics-only' is enabled for any IS-IS level and a metric configured on the IS-IS enabled interface for that level has ASCII representation in decimal more than 6 characters long, this interface's metric for that level will be merged with 'priority' field value in the output of 'show isis interface detail'.
PR Number Synopsis Category: jdhcpd daemon
1491349 The jdhcpd memory leak might be observed in subscriber sceanrio
Product-Group=junos
On All Junos platforms, the jdhcpd memory leak might be seen during DHCPv4/ DHCPv6 subscriber logout. The memory leak will be proportional to subscriber scale as the leak will happen for each client entry.
1534814 Junos OS: Receipt of a crafted DHCP packet will cause the jdhcpd DHCP service to core (CVE-2021-0267)
Product-Group=junos
An Improper Input Validation vulnerability in the active-lease query portion in JDHCPD's DHCP Relay Agent of Juniper Networks Junos OS allows an attacker to cause a Denial of Service (DoS) by sending a crafted DHCP packet to the device thereby crashing the jdhcpd DHCP service. This is typically configured for Broadband Subscriber Sessions. Please refer to https://kb.juniper.net/JSA11158 for more information.
1564434 Junos OS: Receipt of malformed DHCPv6 packets causes jdhcpd to crash and restart. (CVE-2021-0240)
Product-Group=junos
On Juniper Networks Junos OS platforms configured as DHCPv6 local server or DHCPv6 Relay Agent, the Juniper Networks Dynamic Host Configuration Protocol Daemon (JDHCPD) process might crash if a malformed DHCPv6 packet is received, resulting in a restart of the daemon. The daemon automatically restarts without intervention, but continued receipt and processing of this packet will create a sustained Denial of Service (DoS) condition. Please refer to https://kb.juniper.net/JSA11168 for more information.
PR Number Synopsis Category: PFE infra to support jvision
1547698 The SENSOR APP DWORD leak is observed during the period of churn for routes bound to the sensor group.
Product-Group=junos
SENSOR APP DWORD leak observed during the period of churn for routes bound to Sensor group. Sensor types that are affected are Segment Routing, Segment Routing-TE, LDP and RSVP LSPs. https://kb.juniper.net/TSB17912
PR Number Synopsis Category: Layer2 forwarding on EX/NTF/PTX/QFX
1534796 High rate of ARP or NS packets might be observed between a device that runs Junos OS and host when the device that runs Junos OS receives an ARP or NS packet on an interface in transition.
Product-Group=junos
On Junos device in EVPN scenario, if an interface is in transition status and an ARP request is received on the interface from a host, the Junos device may send out re-arp out towards the host, and the host responds to this re-arp and the Junos device sends another re-arp in response to this arp reply from host. This goes forever causing high rate of arp packets until the interface comes up. This issue is also applicable to ND/NS in IPv6 environment.
1551025 The l2alm processes high CPU utilization might be observed in the EVPN-VXLAN environment.
Product-Group=junos
In the EVPN-VxLAN scenario, as part of fixing PR1535515, the mac-ip entry's aging timer is adjusted by plus 30 seconds. These changes expose an issue in ARP expiry handling and result in the l2alm process high CPU utilization. This issue may cause MAC learning issue even traffic loss.
PR Number Synopsis Category: lldp sw on MX platform
1576721 The LLDP neighbor information displays hex string instead of chassis ID when subtype 1 is used.
Product-Group=junos
LLDP neighbor information displays hex format instead of chassis ID when interoperating with some other vendors' devices which use subtype 1 in chassis-id.
PR Number Synopsis Category: MQTT protocol, Mosquitto Broker and Client API
1522265 Junos OS: Receipt of specific packets could lead to Denial of Service in MQTT Server (CVE-2021-0229)
Product-Group=junos
An uncontrolled resource consumption vulnerability in Message Queue Telemetry Transport (MQTT) server of Juniper Networks Junos OS allows an attacker to cause MQTT server to crash and restart leading to a Denial of Service (DoS) by sending a stream of specific packets. Please refer to https://kb.juniper.net/JSA11124 for more information.
PR Number Synopsis Category: Multicast for L3VPNs
1536903 The PIM (S,G) join state might stay forever when there are no MC receivers and source is inactive.
Product-Group=junos
The problem can be seen in MVPN ASM scenario on a PE which has local MC source and receivers and RP is remote. If all receivers stop joining the group and MC source stops transmitting, corresponding PIM (S,G) state may remain indefinitely despite that. Due to the problem a router will maintain extra PIM state. Service is not impacted.
PR Number Synopsis Category: Jflow and sflow on MX
1550603 The adapted sample rate might get reset to the configured sample rate without changing the sampling rate information in sFlow datagrams after enabling sFlow technology on a new interface.
Product-Group=junos
For the platforms supporting single sample rate per line card (i.e. MX Series routers and EX9200 switches), the actual (effective) sample rate of all the interfaces on a single FPC will be set to the sample rate with the lowest value if the configured or adapted sample rate are different among the interfaces enabled sFlow technology on this FPC. So, after the adaptive sampling event happens and the adapted sample rate (It has value great than the configured sample rate) is used for the interfaces on a FPC, if enabling sFlow technology on a new interface on the same FPC, the actual (effective) sample rate for the existing interfaces will be changed to the configured sample rate. However, the "Adapted sample rate" in "show sflow interface" CLI command and the "Sampling rate" in sampling information of the sFlow datagrams still shows the previous adapted sample rate. The inconsistency between flow information and actual sample rate might cause issues on the collector side.
PR Number Synopsis Category: Fabric Manager for MX
1482124 Fabric healing logic incorrectly makes all MPC line cards go offline in the MX2000 router while the hardware fault is located on one specific MPC line-card slot.
Product-Group=junos
In specific MPC hardware failure conditions within the MX2K platform, fabric healing will attempt to auto-heal the fault location in 3 phases to prevent traffic blackholing. If under such fault conditions only destination timeouts are reported without corresponding link errors, the fabric healing process might restart all MPCs in phase-2 in an auto-healing attempt and if the error condition appears again within 10 minutes the last phase-3 might offline all MPCs in the system. MX2K platform exposure with SFB2, SFB3. With SFB installed only if 'set chassis fabric disable-grant-bypass' is configured.
PR Number Synopsis Category: IDS features available on MS-MPC/MIC
1536100 Junos OS: MX Series: Dynamic filter fails to match IPv6 prefix (CVE-2021-0205)
Product-Group=junos
When the "Intrusion Detection Service" (IDS) feature is configured on Juniper Networks MX series with a dynamic firewall filter using IPv6 source or destination prefix, it may incorrectly match the prefix as /32, causing the filter to block unexpected traffic. Refer to https://kb.juniper.net/JSA11095 for more information.
PR Number Synopsis Category: OSPF routing protocol
1543147 The metric of prefixes in intra-area-prefix LSA might be changed to 65535 when the metric of one of the OSPFv3 P2P interfaces is set to 65535.
Product-Group=junos
When metric of one of the OSPFv3 p2p interfaces is set to 65535, metrics of some of prefixes in intra-area-prefixes LSA associated with p2p interface will be changed to 65535. This problem is seen only when metric of p2p interface was set to 65535. Metric value <= 65534 did not cause this problem. And problem will be seen, regardless of whether the p2p interface belongs to IPv4 or IPv6 realm. Non p2p interface is not affected by this problem.
PR Number Synopsis Category: PE based services related sw
1546143 Junos OS: PTX Series: Denial of Service in packet processing due to heavy route churn when J-Flow sampling is enabled (CVE-2021-0263)
Product-Group=junos
A vulnerability in the Multi-Service process (multi-svcs) on the FPC of Juniper Networks Junos OS on the PTX Series routers may lead to the process becoming unresponsive, ultimately affecting traffic forwarding, allowing an attacker to cause a Denial of Service (DoS) condition. This can occur during periods of heavy route churn, causing the Multi-Service Process to stop processing updates, without consuming any further updates from kernel. Please refer to https://kb.juniper.net/JSA11154 for more information.
PR Number Synopsis Category: JRR - VRR running on SRX4200
1534795 "request system power-off", "request system halt" not working as expected on JRR200
Product-Group=junos
When we execute "request system halt","request system power-off" Junos gets halted but, hypervisor will still be up so physical interfaces remains up. Command did not completely power off.
1582038 JRR200: Option-60 (Vendor-Class-Identifier) is not sent during ZTP
Product-Group=junos
The factory default config on JRR200 doesn't have vendor-id option configured on the interfaces (em0; em2-em9) and as a result DHCP option 60 doesn't get sent out to the DHCP/ZTP server during the ZTP process.
PR Number Synopsis Category: Chassis mgmt for all QFX systems - chassis MIB, alarms, CLI
1511155 The QFX10000-36Q line card used on QFX10008 and QFX10016 platforms may fail to detect any QSFP.
Product-Group=junos
On QFX10008/QFX10016 platforms with QFX10000-36Q line card used, if detecting an ASIC error of the line card, the QSFP might not be detected and then the PIC might be offline.
1567037 On the QFX5100 device, the following internal comment is displayed: Placeholder for QFX platform configuration.
Product-Group=junos
On EX4600 and QFX5100 platform, internal comment 'Placeholder for QFX platform config' may be seen on show config output.
PR Number Synopsis Category: KRT Queue issues within RPD
1539601 The rpd memory leak might be observed on the backup Routing Engine due to the flapping of the link.
Product-Group=junos
On all Junos platforms with dual REs, rpd memory leak may be seen when an AE member interface flaps or immediate restart of master RE. The memory leak was observed be around 32 bytes per session, the leak is only seen when AE have more than 8 legs.
1542280 The KRT queue might get stuck after the Routing Engine switchover.
Product-Group=junos
On all Junos platforms with dual Routing Engines (REs), if RE switchover happens while the rpd process on backup RE (new master RE) is reading routes from kernel, some error might happen in a very rare timing condition, and the Kernel Routing Table (KRT) queue might get stuck due to this issue.
PR Number Synopsis Category: RPD Next-hop issues including indirect, CNH, and MCNH
1534455 Some routes might get incorrectly programmed in the forwarding table in the kernel which is no longer present in rpd.
Product-Group=junos
In a scaled routes scenario, if there is any route change operation when the system is under memory pressure, the rpd might change a route entry but the same is not conveyed to the kernel. This causes a mismatch between routes in rpd and kernel leading to traffic blackhole for the mismatched route entries that are incorrectly programmed in the kernel.
PR Number Synopsis Category: RPD route tables, resolver, routing instances, static routes
1459384 An rpd memory leak might be observed on the backup Routing Engine due to BGP flap
Product-Group=junos
In a BGP scenario when certain routes are flapping frequently, it could lead to rpd memory leak on backup Routing Engine. The rpd might crash and restart once the rpd runs out of memory for certain junos releases.
1555187 The changes do not get effective when the values are set under the static default hierarchy.
Product-Group=junos
The static default (like preference, metric, tag, etc.) values do not get effective after commit when the values are set under static default hierarchy.
1564964 VRF table does not get refreshed after a change made to maximum-prefixes in the VRF
Product-Group=junos
The VRF table is not getting refreshed after the change in the maximum-prefixes configuration under routing-instance.
PR Number Synopsis Category: show route table commands, tracing, and syslog facilities
1425515 The RPD scheduler slips might be observed upon executing the show route resolution extensive 0.0.0.0/0 | no-more command if the number of routes in the system is large (several millions).
Product-Group=junos
If a system has a lot of routes (several millions) then RPD scheduler slips could happen upon executing 'show route resolution extensive 0.0.0.0/0 | no-more' CLI command. The following message will be syslogged upon the slip: > rpd[4885]: %DAEMON-3-JTASK_SCHED_SLIP: 8 sec scheduler slip, user: 8 sec 645210 usec, system: 0 sec, 0 usec
PR Number Synopsis Category: SW PRs for SCBE3 related kernel drivers
1564539 MX platforms with MX-SCBE3 may reboot continuously.
Product-Group=junos
A recent change in the kernel boot loader causes a system with MX-SCBE3 to experience the Routing Enginne's kernel memory corruption which causes the system to reboot continuously.
PR Number Synopsis Category: SRX Wifi
1569680 Wi-Fi mPIM on Branch SRX is reaching out to NTP and DNS servers
Product-Group=junos
When Wifi mPIM card get IP address, it could send NTP and DNS packets to JUNOS. In firmware 1.2.9 and 1.5.4, DNS and NTP in Wifi mPIM are disabled by default.
PR Number Synopsis Category: Trio pfe qos software
1559018 The IPv4 EXP rewrite might not work properly when inet6-vpn is enabled.
Product-Group=junos
With 6o4 MPLS VPN enabled, turning on core facing EXP/TOS rewrite feature might unexpectedly mark customer ipv4 traffic to EXP 0 and TOS 0. The issue only seen on back-to-back PE connection with Penultimate-hop-popping(PHP) scenario.
PR Number Synopsis Category: Trio pfe bridging, learning, stp, oam, irb software
1533857 The fpc process might crash when the next hop memory of ASIC is exhausted in the EVPN-MPLS scenario.
Product-Group=junos
On all MX/EX92xx platforms with EVPN-MPLS configured, NH (Next-Hop) memory leak in Trio ASIC happens whenever there is a route churn for remote MAC-IP entries learned bound to the IRB interface in EVPN-MPLS routing-instance. When the ASIC's NH memory partition exhausted (free% NH memory is close to 20% or below), which will result in the line card to reboot.
PR Number Synopsis Category: Trio pfe l3 forwarding issues
1523537 The BFD session status remains down at the non-anchor FPC even though BFD session is up after the anchor FPC reboots or panic.
Product-Group=junos
On all platforms with multiple line cards used, after anchor FPC reboot/panic, the BFD session status at non-anchor FPC might be wrong which might cause traffic loss.
PR Number Synopsis Category: UI Infrastructure - mgd, DAX API, DDL/ODL
1553577 The request system software validate on host command does not validate the correct configuration file.
Product-Group=junos
When using the "request system software validate on host username ", please use the latest os-package on remote host for it to properly use the configuration file sent from the host whose configuration file is being validated.
PR Number Synopsis Category: UI Misc
1457602 The version information under the configuration changes from Junos OS Release 19.1. onwards.
Product-Group=junos
Under configuration on 19.x, version info is different from prior 18.x release.
 

19.4R2-S4 - List of Known issues
PR Number Synopsis Category: L2NG Access Security feature
1546166 Junos OS: Receipt of specific DHCPv6 packet may cause jdhcpd to crash and restart (CVE-2021-0241)
Product-Group=junos
On Juniper Networks Junos OS platforms configured as DHCPv6 local server or DHCPv6 Relay Agent, Juniper Networks Dynamic Host Configuration Protocol Daemon (JDHCPD) process might crash with a core dump if a specific DHCPv6 packet is received, resulting in a restart of the daemon. Please refer to https://kb.juniper.net/JSA11168 for more information.
PR Number Synopsis Category: High Availability/NSRP/VRRP
1548173 Disabled node on chassis cluster sent out ARP request packets.
Product-Group=junos
Disabled state node on an SRX cluster may send ARP requests when the primary of RG0 and 1 are on different nodes
PR Number Synopsis Category: Firewall Policy
1454907 Traffic might be dropped when policies are changed in SRX Series devices
Product-Group=junos
If a huge number of policies are configured on SRX Series devices and some policies are changed, the traffic that matches the changed policies might be dropped.
PR Number Synopsis Category: Issues related to PKI daemon
1549954 PKI CMPv2 client certificate enrolment does not work on SRX when using root-CA
Product-Group=junos
PKI CMPv2 (RFC 4210) client certificate enrollment does not properly work on SRX Series devices when using root-CA.
PR Number Synopsis Category: SW PRs for SCBE3 fabric
1573360 Fabric errors are observed and FPC processes might get offline when the MPC3-NG/MPC3E/SRX5K-IOC2 line cards are installed along with the MPC7/MPC10/SRX5K-IOC04 and SCBE3/SCB4 line cards operating in an increased-bandwidth fabric mode.
Product-Group=junos
On MX240/MX480/MX960 and SRX5600/SRX5800 platforms, with default "increased-bandwidth" fabric mode on SCBE3 or SCB4, if MPC3/MPC3-NG or SRX5K-IOC2 exist on the system along with high bandwidth MPC/IOC, during high traffic situation or traffic burst through the fabric towards MPC3/MPC3-NG/SRX5K-IOC2, the fabric plane may report unreachable destination condition and causes fabric healing to trigger. This issue is exacerbated when having MPC7, MPC10 or SRX5K-IOC4 line cards installed due to the higher fabric bandwidth potential. Please refer to TSB17936 (https://kb.juniper.net/TSB17936) for further details.
PR Number Synopsis Category: Stout card (MPC7) fabric issues
1561306 The BFD session goes down after ISSU switchover.
Product-Group=junos
JDI-RCT:M/Mx: Bfd session went down after switchover phase of ISSU
Modification History:
First Publication Date 2021-05-05
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search