CVE-2025-21600 - Vulnerability Details

Link	Providers
https://supportportal.juniper.net/JSA92870

Type	Values Removed	Values Added
Description	An Out-of-Bounds Read vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, logically adjacent BGP peer sending a specifically malformed BGP packet to cause rpd to crash and restart, resulting in a Denial of Service (DoS). Continued receipt and processing of this packet will create a sustained Denial of Service (DoS) condition. This issue only affects systems configured in either of two ways: * systems with BGP traceoptions enabled * systems with BGP family traffic-engineering (BGP-LS) configured and can be exploited from a directly connected and configured BGP peer. This issue affects iBGP and eBGP with any address family configured, and both IPv4 and IPv6 are affected by this vulnerability. This issue affects: Junos OS: * All versions before 21.4R3-S9, * from 22.2 before 22.2R3-S5, * from 22.3 before 22.3R3-S4, * from 22.4 before 22.4R3-S5, * from 23.2 before 23.2R2-S3, * from 23.4 before 23.4R2-S3, * from 24.2 before 24.2R1-S2, 24.2R2; Junos OS Evolved: * All versions before 21.4R3-S9-EVO, * from 22.2 before 22.2R3-S5-EVO, * from 22.3 before 22.3R3-S4-EVO, * from 22.4 before 22.4R3-S5-EVO, * from 23.2 before 23.2R2-S3-EVO, * from 23.4 before 23.4R2-S2-EVO, * from 24.2 before 24.2R1-S2-EVO, 24.2R2-EVO. This is a similar, but different vulnerability than the issue reported as CVE-2024-39516.	An Out-of-Bounds Read vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, logically adjacent BGP peer sending a specifically malformed BGP packet to cause rpd to crash and restart, resulting in a Denial of Service (DoS). Continued receipt and processing of this packet will create a sustained Denial of Service (DoS) condition. This issue only affects systems configured in either of two ways: * systems with BGP traceoptions enabled * systems with BGP family traffic-engineering (BGP-LS) configured and can be exploited from a directly connected and configured BGP peer. This issue affects iBGP and eBGP with any address family configured, and both IPv4 and IPv6 are affected by this vulnerability. This issue affects: Junos OS: * from 21.4 before 21.4R3-S9, * from 22.2 before 22.2R3-S5, * from 22.3 before 22.3R3-S4, * from 22.4 before 22.4R3-S5, * from 23.2 before 23.2R2-S3, * from 23.4 before 23.4R2-S3, * from 24.2 before 24.2R1-S2, 24.2R2; Junos OS Evolved: * from 21.4-EVO before 21.4R3-S9-EVO, * from 22.2-EVO before 22.2R3-S5-EVO, * from 22.3-EVO before 22.3R3-S4-EVO, * from 22.4-EVO before 22.4R3-S5-EVO, * from 23.2-EVO before 23.2R2-S3-EVO, * from 23.4-EVO before 23.4R2-S2-EVO, * from 24.2-EVO before 24.2R1-S2-EVO, 24.2R2-EVO. This issue does not affect versions of Junos OS prior to 21.3R1. This issue does not affect versions of Junos OS Evolved prior to 21.3R1-EVO. This is a similar, but different vulnerability than the issue reported as CVE-2024-39516.

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Type	Values Removed	Values Added
Description		An Out-of-Bounds Read vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, logically adjacent BGP peer sending a specifically malformed BGP packet to cause rpd to crash and restart, resulting in a Denial of Service (DoS). Continued receipt and processing of this packet will create a sustained Denial of Service (DoS) condition. This issue only affects systems configured in either of two ways: * systems with BGP traceoptions enabled * systems with BGP family traffic-engineering (BGP-LS) configured and can be exploited from a directly connected and configured BGP peer. This issue affects iBGP and eBGP with any address family configured, and both IPv4 and IPv6 are affected by this vulnerability. This issue affects: Junos OS: * All versions before 21.4R3-S9, * from 22.2 before 22.2R3-S5, * from 22.3 before 22.3R3-S4, * from 22.4 before 22.4R3-S5, * from 23.2 before 23.2R2-S3, * from 23.4 before 23.4R2-S3, * from 24.2 before 24.2R1-S2, 24.2R2; Junos OS Evolved: * All versions before 21.4R3-S9-EVO, * from 22.2 before 22.2R3-S5-EVO, * from 22.3 before 22.3R3-S4-EVO, * from 22.4 before 22.4R3-S5-EVO, * from 23.2 before 23.2R2-S3-EVO, * from 23.4 before 23.4R2-S2-EVO, * from 24.2 before 24.2R1-S2-EVO, 24.2R2-EVO. This is a similar, but different vulnerability than the issue reported as CVE-2024-39516.
Title		Junos OS and Junos OS Evolved: With certain BGP options enabled, receipt of specifically malformed BGP update causes RPD crash
Weaknesses		CWE-125
References		https://supportportal.juniper.net/JSA92870
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}` cvssV4_0 `{'score': 7.1, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/AU:N/R:A/V:C/RE:M/U:Green'}`

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-21600", "assignerOrgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968", "state": "PUBLISHED", "assignerShortName": "juniper", "dateReserved": "2024-12-26T14:47:11.669Z", "datePublished": "2025-01-09T16:49:42.367Z", "dateUpdated": "2025-01-27T22:00:26.801Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Junos OS", "vendor": "Juniper Networks", "versions": [{"lessThan": "21.4R3-S9", "status": "affected", "version": "21.4", "versionType": "semver"}, {"lessThan": "22.2R3-S5", "status": "affected", "version": "22.2", "versionType": "semver"}, {"lessThan": "22.3R3-S4", "status": "affected", "version": "22.3", "versionType": "semver"}, {"lessThan": "22.4R3-S5", "status": "affected", "version": "22.4", "versionType": "semver"}, {"lessThan": "23.2R2-S3", "status": "affected", "version": "23.2", "versionType": "semver"}, {"lessThan": "23.4R2-S3", "status": "affected", "version": "23.4", "versionType": "semver"}, {"lessThan": "24.2R1-S2, 24.2R2", "status": "affected", "version": "24.2", "versionType": "semver"}, {"lessThan": "21.3R1", "status": "unaffected", "version": "0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "Junos OS Evolved", "vendor": "Juniper Networks", "versions": [{"lessThan": "21.4R3-S9-EVO", "status": "affected", "version": "21.4-EVO", "versionType": "semver"}, {"lessThan": "22.2R3-S5-EVO", "status": "affected", "version": "22.2-EVO", "versionType": "semver"}, {"lessThan": "22.3R3-S4-EVO", "status": "affected", "version": "22.3-EVO", "versionType": "semver"}, {"lessThan": "22.4R3-S5-EVO", "status": "affected", "version": "22.4-EVO", "versionType": "semver"}, {"lessThan": "23.2R2-S3-EVO", "status": "affected", "version": "23.2-EVO", "versionType": "semver"}, {"lessThan": "23.4R2-S2-EVO", "status": "affected", "version": "23.4-EVO", "versionType": "semver"}, {"lessThan": "24.2R1-S2-EVO, 24.2R2-EVO", "status": "affected", "version": "24.2-EVO", "versionType": "semver"}, {"lessThan": "21.3R1-EVO", "status": "unaffected", "version": "0", "versionType": "semver"}]}], "configurations": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "One of the following traceoptions configurations, either at the top level, under [logical-systems], or [routing-instances], is required to be potentially exposed to this issue: <tt>[protocols bgp traceoptions packets detail] [protocols bgp traceoptions update detail] </tt><tt>[protocols bgp group <group-name> traceoptions packets detail] </tt><tt>[protocols bgp group <group-name> traceoptions update detail] <tt>[protocols bgp group <group-name> neighbor <address> traceoptions packets detail]</tt> [protocols bgp group <group-name> neighbor <address> traceoptions update detail]</tt> \n\nSystems configured with BGP traffic engineering are also vulnerable to this issue: <tt>[protocols bgp group <name> family traffic-engineering unicast]</tt>"}], "value": "One of the following traceoptions configurations, either at the top level, under [logical-systems], or [routing-instances], is required to be potentially exposed to this issue:\n\n[protocols bgp traceoptions packets detail]\n[protocols bgp traceoptions update detail]\n[protocols bgp group <group-name> traceoptions packets detail]\n[protocols bgp group <group-name> traceoptions update detail]\n[protocols bgp group <group-name> neighbor <address> traceoptions packets detail]\n[protocols bgp group <group-name> neighbor <address> traceoptions update detail]\n\n\n\nSystems configured with BGP traffic engineering are also vulnerable to this issue:\n\n[protocols bgp group <name> family traffic-engineering unicast]"}], "credits": [{"lang": "en", "type": "finder", "value": "Juniper SIRT would like to acknowledge and thank Craig Dods from Meta\u2019s Infrastructure Security Engineering team for responsibly reporting this vulnerability."}], "datePublic": "2025-01-08T17:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An Out-of-Bounds Read vulnerability in\n\nthe routing protocol daemon (rpd) of \n\n Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, logically adjacent BGP peer sending a specifically malformed BGP packet to cause rpd to crash and restart, resulting in a Denial of Service (DoS). Continued receipt and processing of this packet will create a sustained Denial of Service (DoS) condition. \n\nThis issue only affects systems configured in\n either of two ways: \n \n <ol>\n <li>systems with BGP traceoptions enabled</li>\n <li>systems with BGP family traffic-engineering (BGP-LS)\n configured</li></ol>\n\n and can be exploited from a directly connected and configured BGP peer.  This issue affects iBGP and eBGP \n\nwith \n\nany address family\n\n configured, and both IPv4 and IPv6 are affected by this vulnerability. This issue affects:Junos OS: <ul><li>\n\nfrom 21.4 before 21.4R3-S9, </li><li>from 22.2 before 22.2R3-S5, </li><li>from 22.3 before 22.3R3-S4, </li><li>from 22.4 before 22.4R3-S5, </li><li>from 23.2 before 23.2R2-S3, </li><li>from 23.4 before 23.4R2-S3, </li><li>from 24.2 before 24.2R1-S2, 24.2R2; </li></ul>Junos OS Evolved: <ul><li>from 21.4-EVO before 21.4R3-S9-EVO, </li><li>from 22.2-EVO before 22.2R3-S5-EVO, </li><li>from 22.3-EVO before 22.3R3-S4-EVO, </li><li>from 22.4-EVO before 22.4R3-S5-EVO, </li><li>from 23.2-EVO before 23.2R2-S3-EVO, </li><li>from 23.4-EVO before 23.4R2-S2-EVO, </li><li>from 24.2-EVO before 24.2R1-S2-EVO, 24.2R2-EVO.</li></ul>This issue does not affect versions of Junos OS prior to 21.3R1. \n\nThis issue does not affect versions of Junos OS Evolved prior to 21.3R1-EVO.\n\n This is a similar, but different vulnerability than the issue reported as CVE-2024-39516. "}], "value": "An Out-of-Bounds Read vulnerability in\n\nthe routing protocol daemon (rpd) of \n\n Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, logically adjacent BGP peer sending a specifically malformed BGP packet to cause rpd to crash and restart, resulting in a Denial of Service (DoS). Continued receipt and processing of this packet will create a sustained Denial of Service (DoS) condition.\n\n\n\nThis issue only affects systems configured in\n either of two ways:\n\n \n \n * systems with BGP traceoptions enabled\n\n * systems with BGP family traffic-engineering (BGP-LS)\n configured\n\n\n and can be exploited from a directly connected and configured BGP peer.\u00a0\n\nThis issue affects iBGP and eBGP \n\nwith \n\nany address family\n\n configured, and both IPv4 and IPv6 are affected by this vulnerability.\n\nThis issue affects:\n\nJunos OS:\u00a0\n\n\n\n * \n\nfrom 21.4 before 21.4R3-S9,\u00a0\n * from 22.2 before 22.2R3-S5,\u00a0\n * from 22.3 before 22.3R3-S4,\u00a0\n * from 22.4 before 22.4R3-S5,\u00a0\n * from 23.2 before 23.2R2-S3,\u00a0\n * from 23.4 before 23.4R2-S3,\u00a0\n * from 24.2 before 24.2R1-S2, 24.2R2;\u00a0\n\n\n\n\nJunos OS Evolved:\u00a0\n\n\n\n * from 21.4-EVO before 21.4R3-S9-EVO,\u00a0\n * from 22.2-EVO before 22.2R3-S5-EVO,\u00a0\n * from 22.3-EVO before 22.3R3-S4-EVO,\u00a0\n * from 22.4-EVO before 22.4R3-S5-EVO,\u00a0\n * from 23.2-EVO before 23.2R2-S3-EVO,\u00a0\n * from 23.4-EVO before 23.4R2-S2-EVO,\u00a0\n * from 24.2-EVO before 24.2R1-S2-EVO, 24.2R2-EVO.\n\n\nThis issue does not affect versions of Junos OS prior to 21.3R1.\n\n\nThis issue does not affect versions of Junos OS Evolved prior to 21.3R1-EVO.\n\n\n\nThis is a similar, but different vulnerability than the issue reported as CVE-2024-39516."}], "exploits": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."}], "value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"cvssV4_0": {"Automatable": "NO", "Recovery": "AUTOMATIC", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "ADJACENT", "baseScore": 7.1, "baseSeverity": "HIGH", "privilegesRequired": "NONE", "providerUrgency": "GREEN", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/AU:N/R:A/V:C/RE:M/U:Green", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "MODERATE"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-125", "description": "CWE-125 Out-of-bounds Read", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968", "shortName": "juniper", "dateUpdated": "2025-01-27T22:00:26.801Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://supportportal.juniper.net/JSA92870"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The following software releases have been updated to resolve this specific issue: Junos OS: 21.4R3-S9, 22.2R3-S5, 22.3R3-S4, 22.4R3-S5, 23.2R2-S3, 23.4R2-S3, 24.2R1-S2, 24.2R2, 24.4R1, and all subsequent releases. Junos OS Evolved: 21.4R3-S9-EVO, 22.2R3-S5-EVO, 22.3R3-S4-EVO, 22.4R3-S5-EVO, 23.2R2-S3-EVO, 23.4R2-S2-EVO, 24.2R1-S2-EVO, 24.2R2-EVO, 24.4R1-EVO, and all subsequent releases. "}], "value": "The following software releases have been updated to resolve this specific issue: \nJunos OS: 21.4R3-S9, 22.2R3-S5, 22.3R3-S4, 22.4R3-S5, 23.2R2-S3, 23.4R2-S3, 24.2R1-S2, 24.2R2, 24.4R1, and all subsequent releases.\nJunos OS Evolved: 21.4R3-S9-EVO, 22.2R3-S5-EVO, 22.3R3-S4-EVO, 22.4R3-S5-EVO, 23.2R2-S3-EVO, 23.4R2-S2-EVO, 24.2R1-S2-EVO, 24.2R2-EVO, 24.4R1-EVO, and all subsequent releases."}], "source": {"advisory": "JSA92870", "defect": ["1823612"], "discovery": "EXTERNAL"}, "timeline": [{"lang": "en", "time": "2025-01-08T17:00:00.000Z", "value": "Initial Publication"}, {"lang": "en", "time": "2025-01-27T17:00:00.000Z", "value": "Clarified that versions of Junos OS prior to 21.3R1 and Junos OS Evolved prior to 21.3R1-EVO are unaffected."}], "title": "Junos OS and Junos OS Evolved: With certain BGP options enabled, receipt of specifically malformed BGP update causes RPD crash", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "If BGP traceoptions are enabled, and traffic engineering is not configured, disable BGP traceoptions if they are not being used for active troubleshooting."}], "value": "If BGP traceoptions are enabled, and traffic engineering is not configured, disable BGP traceoptions if they are not being used for active troubleshooting."}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-01-09T19:17:42.343288Z", "id": "CVE-2025-21600", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-09T19:21:59.704Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-21600", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-01-09T19:17:42.343288Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-09T19:20:19.984Z"}}], "cna": {"title": "Junos OS and Junos OS Evolved: With certain BGP options enabled, receipt of specifically malformed BGP update causes RPD crash", "source": {"defect": ["1823612"], "advisory": "JSA92870", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Juniper SIRT would like to acknowledge and thank Craig Dods from Meta\u2019s Infrastructure Security Engineering team for responsibly reporting this vulnerability."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "AUTOMATIC", "baseScore": 7.1, "Automatable": "NO", "attackVector": "ADJACENT", "baseSeverity": "HIGH", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/AU:N/R:A/V:C/RE:M/U:Green", "providerUrgency": "GREEN", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "MODERATE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Juniper Networks", "product": "Junos OS", "versions": [{"status": "affected", "version": "21.4", "lessThan": "21.4R3-S9", "versionType": "semver"}, {"status": "affected", "version": "22.2", "lessThan": "22.2R3-S5", "versionType": "semver"}, {"status": "affected", "version": "22.3", "lessThan": "22.3R3-S4", "versionType": "semver"}, {"status": "affected", "version": "22.4", "lessThan": "22.4R3-S5", "versionType": "semver"}, {"status": "affected", "version": "23.2", "lessThan": "23.2R2-S3", "versionType": "semver"}, {"status": "affected", "version": "23.4", "lessThan": "23.4R2-S3", "versionType": "semver"}, {"status": "affected", "version": "24.2", "lessThan": "24.2R1-S2, 24.2R2", "versionType": "semver"}, {"status": "unaffected", "version": "0", "lessThan": "21.3R1", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"vendor": "Juniper Networks", "product": "Junos OS Evolved", "versions": [{"status": "affected", "version": "21.4-EVO", "lessThan": "21.4R3-S9-EVO", "versionType": "semver"}, {"status": "affected", "version": "22.2-EVO", "lessThan": "22.2R3-S5-EVO", "versionType": "semver"}, {"status": "affected", "version": "22.3-EVO", "lessThan": "22.3R3-S4-EVO", "versionType": "semver"}, {"status": "affected", "version": "22.4-EVO", "lessThan": "22.4R3-S5-EVO", "versionType": "semver"}, {"status": "affected", "version": "23.2-EVO", "lessThan": "23.2R2-S3-EVO", "versionType": "semver"}, {"status": "affected", "version": "23.4-EVO", "lessThan": "23.4R2-S2-EVO", "versionType": "semver"}, {"status": "affected", "version": "24.2-EVO", "lessThan": "24.2R1-S2-EVO, 24.2R2-EVO", "versionType": "semver"}, {"status": "unaffected", "version": "0", "lessThan": "21.3R1-EVO", "versionType": "semver"}], "defaultStatus": "unaffected"}], "exploits": [{"lang": "en", "value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability.", "supportingMedia": [{"type": "text/html", "value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability.", "base64": false}]}], "timeline": [{"lang": "en", "time": "2025-01-08T17:00:00.000Z", "value": "Initial Publication"}, {"lang": "en", "time": "2025-01-27T17:00:00.000Z", "value": "Clarified that versions of Junos OS prior to 21.3R1 and Junos OS Evolved prior to 21.3R1-EVO are unaffected."}], "solutions": [{"lang": "en", "value": "The following software releases have been updated to resolve this specific issue: \nJunos OS: 21.4R3-S9, 22.2R3-S5, 22.3R3-S4, 22.4R3-S5, 23.2R2-S3, 23.4R2-S3, 24.2R1-S2, 24.2R2, 24.4R1, and all subsequent releases.\nJunos OS Evolved: 21.4R3-S9-EVO, 22.2R3-S5-EVO, 22.3R3-S4-EVO, 22.4R3-S5-EVO, 23.2R2-S3-EVO, 23.4R2-S2-EVO, 24.2R1-S2-EVO, 24.2R2-EVO, 24.4R1-EVO, and all subsequent releases.", "supportingMedia": [{"type": "text/html", "value": "The following software releases have been updated to resolve this specific issue: Junos OS: 21.4R3-S9, 22.2R3-S5, 22.3R3-S4, 22.4R3-S5, 23.2R2-S3, 23.4R2-S3, 24.2R1-S2, 24.2R2, 24.4R1, and all subsequent releases. Junos OS Evolved: 21.4R3-S9-EVO, 22.2R3-S5-EVO, 22.3R3-S4-EVO, 22.4R3-S5-EVO, 23.2R2-S3-EVO, 23.4R2-S2-EVO, 24.2R1-S2-EVO, 24.2R2-EVO, 24.4R1-EVO, and all subsequent releases. ", "base64": false}]}], "datePublic": "2025-01-08T17:00:00.000Z", "references": [{"url": "https://supportportal.juniper.net/JSA92870", "tags": ["vendor-advisory"]}], "workarounds": [{"lang": "en", "value": "If BGP traceoptions are enabled, and traffic engineering is not configured, disable BGP traceoptions if they are not being used for active troubleshooting.", "supportingMedia": [{"type": "text/html", "value": "If BGP traceoptions are enabled, and traffic engineering is not configured, disable BGP traceoptions if they are not being used for active troubleshooting.", "base64": false}]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "An Out-of-Bounds Read vulnerability in\n\nthe routing protocol daemon (rpd) of \n\n Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, logically adjacent BGP peer sending a specifically malformed BGP packet to cause rpd to crash and restart, resulting in a Denial of Service (DoS). Continued receipt and processing of this packet will create a sustained Denial of Service (DoS) condition.\n\n\n\nThis issue only affects systems configured in\n either of two ways:\n\n \n \n * systems with BGP traceoptions enabled\n\n * systems with BGP family traffic-engineering (BGP-LS)\n configured\n\n\n and can be exploited from a directly connected and configured BGP peer.\u00a0\n\nThis issue affects iBGP and eBGP \n\nwith \n\nany address family\n\n configured, and both IPv4 and IPv6 are affected by this vulnerability.\n\nThis issue affects:\n\nJunos OS:\u00a0\n\n\n\n * \n\nfrom 21.4 before 21.4R3-S9,\u00a0\n * from 22.2 before 22.2R3-S5,\u00a0\n * from 22.3 before 22.3R3-S4,\u00a0\n * from 22.4 before 22.4R3-S5,\u00a0\n * from 23.2 before 23.2R2-S3,\u00a0\n * from 23.4 before 23.4R2-S3,\u00a0\n * from 24.2 before 24.2R1-S2, 24.2R2;\u00a0\n\n\n\n\nJunos OS Evolved:\u00a0\n\n\n\n * from 21.4-EVO before 21.4R3-S9-EVO,\u00a0\n * from 22.2-EVO before 22.2R3-S5-EVO,\u00a0\n * from 22.3-EVO before 22.3R3-S4-EVO,\u00a0\n * from 22.4-EVO before 22.4R3-S5-EVO,\u00a0\n * from 23.2-EVO before 23.2R2-S3-EVO,\u00a0\n * from 23.4-EVO before 23.4R2-S2-EVO,\u00a0\n * from 24.2-EVO before 24.2R1-S2-EVO, 24.2R2-EVO.\n\n\nThis issue does not affect versions of Junos OS prior to 21.3R1.\n\n\nThis issue does not affect versions of Junos OS Evolved prior to 21.3R1-EVO.\n\n\n\nThis is a similar, but different vulnerability than the issue reported as CVE-2024-39516.", "supportingMedia": [{"type": "text/html", "value": "An Out-of-Bounds Read vulnerability in\n\nthe routing protocol daemon (rpd) of \n\n Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, logically adjacent BGP peer sending a specifically malformed BGP packet to cause rpd to crash and restart, resulting in a Denial of Service (DoS). Continued receipt and processing of this packet will create a sustained Denial of Service (DoS) condition. \n\nThis issue only affects systems configured in\n either of two ways: \n \n <ol>\n <li>systems with BGP traceoptions enabled</li>\n <li>systems with BGP family traffic-engineering (BGP-LS)\n configured</li></ol>\n\n and can be exploited from a directly connected and configured BGP peer.  This issue affects iBGP and eBGP \n\nwith \n\nany address family\n\n configured, and both IPv4 and IPv6 are affected by this vulnerability. This issue affects:Junos OS: <ul><li>\n\nfrom 21.4 before 21.4R3-S9, </li><li>from 22.2 before 22.2R3-S5, </li><li>from 22.3 before 22.3R3-S4, </li><li>from 22.4 before 22.4R3-S5, </li><li>from 23.2 before 23.2R2-S3, </li><li>from 23.4 before 23.4R2-S3, </li><li>from 24.2 before 24.2R1-S2, 24.2R2; </li></ul>Junos OS Evolved: <ul><li>from 21.4-EVO before 21.4R3-S9-EVO, </li><li>from 22.2-EVO before 22.2R3-S5-EVO, </li><li>from 22.3-EVO before 22.3R3-S4-EVO, </li><li>from 22.4-EVO before 22.4R3-S5-EVO, </li><li>from 23.2-EVO before 23.2R2-S3-EVO, </li><li>from 23.4-EVO before 23.4R2-S2-EVO, </li><li>from 24.2-EVO before 24.2R1-S2-EVO, 24.2R2-EVO.</li></ul>This issue does not affect versions of Junos OS prior to 21.3R1. \n\nThis issue does not affect versions of Junos OS Evolved prior to 21.3R1-EVO.\n\n This is a similar, but different vulnerability than the issue reported as CVE-2024-39516. ", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125 Out-of-bounds Read"}]}], "configurations": [{"lang": "en", "value": "One of the following traceoptions configurations, either at the top level, under [logical-systems], or [routing-instances], is required to be potentially exposed to this issue:\n\n[protocols bgp traceoptions packets detail]\n[protocols bgp traceoptions update detail]\n[protocols bgp group <group-name> traceoptions packets detail]\n[protocols bgp group <group-name> traceoptions update detail]\n[protocols bgp group <group-name> neighbor <address> traceoptions packets detail]\n[protocols bgp group <group-name> neighbor <address> traceoptions update detail]\n\n\n\nSystems configured with BGP traffic engineering are also vulnerable to this issue:\n\n[protocols bgp group <name> family traffic-engineering unicast]", "supportingMedia": [{"type": "text/html", "value": "One of the following traceoptions configurations, either at the top level, under [logical-systems], or [routing-instances], is required to be potentially exposed to this issue: <tt>[protocols bgp traceoptions packets detail] [protocols bgp traceoptions update detail] </tt><tt>[protocols bgp group <group-name> traceoptions packets detail] </tt><tt>[protocols bgp group <group-name> traceoptions update detail] <tt>[protocols bgp group <group-name> neighbor <address> traceoptions packets detail]</tt> [protocols bgp group <group-name> neighbor <address> traceoptions update detail]</tt> \n\nSystems configured with BGP traffic engineering are also vulnerable to this issue: <tt>[protocols bgp group <name> family traffic-engineering unicast]</tt>", "base64": false}]}], "providerMetadata": {"orgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968", "shortName": "juniper", "dateUpdated": "2025-01-27T22:00:26.801Z"}}}, "cveMetadata": {"cveId": "CVE-2025-21600", "state": "PUBLISHED", "dateUpdated": "2025-01-27T22:00:26.801Z", "dateReserved": "2024-12-26T14:47:11.669Z", "assignerOrgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968", "datePublished": "2025-01-09T16:49:42.367Z", "assignerShortName": "juniper"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An Out-of-Bounds Read vulnerability in\n\nthe routing protocol daemon (rpd) of \n\n Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, logically adjacent BGP peer sending a specifically malformed BGP packet to cause rpd to crash and restart, resulting in a Denial of Service (DoS). Continued receipt and processing of this packet will create a sustained Denial of Service (DoS) condition.\n\n\n\nThis issue only affects systems configured in\n either of two ways:\n\n \n \n * systems with BGP traceoptions enabled\n\n * systems with BGP family traffic-engineering (BGP-LS)\n configured\n\n\n and can be exploited from a directly connected and configured BGP peer.\u00a0\n\nThis issue affects iBGP and eBGP \n\nwith \n\nany address family\n\n configured, and both IPv4 and IPv6 are affected by this vulnerability.\n\nThis issue affects:\n\nJunos OS:\u00a0\n\n\n\n * \n\nfrom 21.4 before 21.4R3-S9,\u00a0\n * from 22.2 before 22.2R3-S5,\u00a0\n * from 22.3 before 22.3R3-S4,\u00a0\n * from 22.4 before 22.4R3-S5,\u00a0\n * from 23.2 before 23.2R2-S3,\u00a0\n * from 23.4 before 23.4R2-S3,\u00a0\n * from 24.2 before 24.2R1-S2, 24.2R2;\u00a0\n\n\n\n\nJunos OS Evolved:\u00a0\n\n\n\n * from 21.4-EVO before 21.4R3-S9-EVO,\u00a0\n * from 22.2-EVO before 22.2R3-S5-EVO,\u00a0\n * from 22.3-EVO before 22.3R3-S4-EVO,\u00a0\n * from 22.4-EVO before 22.4R3-S5-EVO,\u00a0\n * from 23.2-EVO before 23.2R2-S3-EVO,\u00a0\n * from 23.4-EVO before 23.4R2-S2-EVO,\u00a0\n * from 24.2-EVO before 24.2R1-S2-EVO, 24.2R2-EVO.\n\n\nThis issue does not affect versions of Junos OS prior to 21.3R1.\n\n\nThis issue does not affect versions of Junos OS Evolved prior to 21.3R1-EVO.\n\n\n\nThis is a similar, but different vulnerability than the issue reported as CVE-2024-39516."}, {"lang": "es", "value": "Una vulnerabilidad de lectura fuera de los l\u00edmites en el daemon de protocolo de enrutamiento (rpd) de Juniper Networks Junos OS y Junos OS Evolved permite que un par BGP no autenticado y l\u00f3gicamente adyacente env\u00ede un paquete BGP espec\u00edficamente malformado para provocar que rpd se bloquee y se reinicie, lo que da como resultado una denegaci\u00f3n de servicio (DoS). La recepci\u00f3n y el procesamiento continuos de este paquete crear\u00e1n una condici\u00f3n de denegaci\u00f3n de servicio (DoS) sostenida. Este problema solo afecta a los sistemas configurados de una de estas dos maneras: * sistemas con opciones de rastreo de BGP habilitadas * sistemas con ingenier\u00eda de tr\u00e1fico de la familia BGP (BGP-LS) configurada y que se puede explotar desde un par BGP conectado y configurado directamente. Este problema afecta a iBGP y eBGP con cualquier familia de direcciones configurada, y tanto IPv4 como IPv6 se ven afectados por esta vulnerabilidad. Este problema afecta a: Junos OS: * Todas las versiones anteriores a 21.4R3-S9, * desde 22.2 hasta 22.2R3-S5, * desde 22.3 hasta 22.3R3-S4, * desde 22.4 hasta 22.4R3-S5, * desde 23.2 hasta 23.2R2-S3, * desde 23.4 hasta 23.4R2-S3, * desde 24.2 hasta 24.2R1-S2, 24.2R2; Junos OS Evolved: * Todas las versiones anteriores a 21.4R3-S9-EVO, * desde 22.2 hasta 22.2R3-S5-EVO, * desde 22.3 hasta 22.3R3-S4-EVO, * desde 22.4 hasta 22.4R3-S5-EVO, * desde 23.2 hasta 23.2R2-S3-EVO, * desde 23.4 hasta 23.4R2-S2-EVO, * desde 24.2 hasta 24.2R1-S2-EVO, 24.2R2-EVO. Esta es una vulnerabilidad similar, pero diferente, al problema informado como CVE-2024-39516."}], "id": "CVE-2025-21600", "lastModified": "2025-01-27T22:15:14.873", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "sirt@juniper.net", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "ADJACENT", "automatable": "NO", "availabilityRequirements": "NOT_DEFINED", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "GREEN", "recovery": "AUTOMATIC", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "LOW", "subsequentSystemConfidentiality": "NONE", "subsequentSystemIntegrity": "NONE", "userInteraction": "NONE", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:A/V:C/RE:M/U:Green", "version": "4.0", "vulnerabilityResponseEffort": "MODERATE", "vulnerableSystemAvailability": "HIGH", "vulnerableSystemConfidentiality": "NONE", "vulnerableSystemIntegrity": "NONE"}, "source": "sirt@juniper.net", "type": "Secondary"}]}, "published": "2025-01-09T17:15:18.960", "references": [{"source": "sirt@juniper.net", "url": "https://supportportal.juniper.net/JSA92870"}], "sourceIdentifier": "sirt@juniper.net", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "sirt@juniper.net", "type": "Secondary"}]}

Metrics

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact Low

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

Metrics

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact Low

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object