CVE-2019-0031 : Specific IPv6 DHCP packets received by the jdhcpd daemon will cause a memory res

Specific IPv6 DHCP packets received by the jdhcpd daemon will cause a memory resource consumption issue to occur on a Junos OS device using the jdhcpd daemon configured to respond to IPv6 requests. Once started, memory consumption will eventually impact any IPv4 or IPv6 request serviced by the jdhcpd daemon, thus creating a Denial of Service (DoS) condition to clients requesting and not receiving IP addresses. Additionally, some clients which were previously holding IPv6 addresses will not have their IPv6 Identity Association (IA) address and network tables agreed upon by the jdhcpd daemon after the failover event occurs, which leads to more than one interface, and multiple IP addresses, being denied on the client. Affected releases are Juniper Networks Junos OS: 17.4 versions prior to 17.4R2; 18.1 versions prior to 18.1R2.

Published 2019-04-10 20:29:00

Updated 2020-09-29 00:42:19

Source Juniper Networks, Inc.

View at NVD, CVE.org

Vulnerability category: Denial of service

Products affected by CVE-2019-0031

Juniper » Junos
Versions from including (>=) 17.4 and before (<) 17.4r2
cpe:2.3:o:juniper:junos:*:*:*:*:*:*:*:*
Matching versions
Juniper » Junos
Versions from including (>=) 18.1 and before (<) 18.1r2
cpe:2.3:o:juniper:junos:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2019-0031

EPSS FAQ

0.52%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 64 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2019-0031

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:N/I:N/A:P	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial
7.4	HIGH	CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H	2.8	4.0	Juniper Networks, Inc.
Attack Vector: Adjacent Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Changed Confidentiality: None Integrity: None Availability: High
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2019-0031

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource.

Assigned by: sirt@juniper.net (Secondary)
CWE-770 Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2019-0031

http://www.securityfocus.com/bid/107874

Juniper Junos CVE-2019-0031 Remote Denial of Service Vulnerability
Third Party Advisory;VDB Entry
https://kb.juniper.net/JSA10920

Juniper Networks - 2019-04 Security Bulletin: Junos OS: jdhcpd daemon memory consumption Denial of Service when receiving specific IPv6 DHCP packets. (CVE-2019-0031)
Vendor Advisory

Jump to

Vulnerability Details : CVE-2019-0031

Products affected by CVE-2019-0031

Exploit prediction scoring system (EPSS) score for CVE-2019-0031

CVSS scores for CVE-2019-0031

CWE ids for CVE-2019-0031

References for CVE-2019-0031