Juniper Networks Junos OS EX Series and QFX Series Incorrect Initialization of Resource Vulnerability

A vulnerability allowing an integrity impact to downstream networks has been identified in Juniper Networks Junos OS on specific EX Series and QFX Series devices. This vulnerability arises from an incorrect initialization of resource in the packet forwarding engine (PFE). When the same family inet or inet6 filter is applied as an egress filter on both an IRB interface and a physical interface, only one of the filters is applied. This can result in traffic being sent out an interface that should have been blocked. The vulnerability affects Junos OS versions 23.4R2-S6 and 24.2R2-S3 on EX4100, EX4400, EX4650, and QFX5120 devices.

Impact

Exploitation of this vulnerability can lead to unblocked traffic being sent out of an interface, potentially causing disruptions in downstream networks.

Remediation

Users can update to Junos OS versions 23.4R2-S7 or 24.2R2-S4, where this vulnerability has been fixed. Alternatively, the same filter can be applied under a different name to one of the interfaces, or the filter can be configured as 'interface specific' to create a unique copy for each interface.