Juniper Networks Junos OS Denial-of-Service Vulnerability in EX and QFX Series Devices

A denial-of-service vulnerability has been identified in Juniper Networks Junos OS, specifically on certain EX and QFX Series devices. This issue arises in the packet forwarding engine (PFE) when the Layer 2 Protocol Tunneling (L2PT) is enabled on User Network Interface (UNI) and the Virtual Spanning Tree Protocol (VSTP) is active on Network-to-Network Interface (NNI) in Virtual Extensible LAN (VXLAN) scenarios. Under these conditions, receiving VSTP Bridge Protocol Data Units (BPDUs) on the UNI can lead to packet buffer allocation failures. As a result, the device stops passing traffic until it is manually restarted. The vulnerability affects Junos OS versions 24.4 prior to 24.4R2 and 25.2 prior to 25.2R1-S1 and 25.2R2. Devices running Junos OS releases before 24.4R1 are not affected.

Impact

Exploitation of this vulnerability leads to a complete denial-of-service condition, where the device fails to pass traffic until it is manually restarted.

Remediation

Users can upgrade to Junos OS versions 24.4R2, 25.2R1-S1, 25.2R2, 25.4R1, or any subsequent release. Alternatively, to prevent VSTP BPDUs from being processed on UNI interfaces, configure the BPDU block protocol to drop BPDUs on all UNI interfaces.