{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-47497", "assignerOrgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968", "state": "PUBLISHED", "assignerShortName": "juniper", "dateReserved": "2024-09-25T15:26:52.609Z", "datePublished": "2024-10-11T15:28:49.424Z", "dateUpdated": "2024-10-11T17:41:24.159Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["SRX Series", "EX Series", "QFX Series", "MX Series"], "product": "Junos OS", "vendor": "Juniper Networks", "versions": [{"lessThan": "21.4R3-S7", "status": "affected", "version": "0", "versionType": "semver"}, {"lessThan": "22.2R3-S4", "status": "affected", "version": "22.2", "versionType": "semver"}, {"lessThan": "22.3R3-S3", "status": "affected", "version": "22.3", "versionType": "semver"}, {"lessThan": "22.4R3-S2", "status": "affected", "version": "22.4", "versionType": "semver"}, {"lessThan": "23.2R2-S1", "status": "affected", "version": "23.2", "versionType": "semver"}, {"lessThan": "23.4R1-S2, 23.4R2", "status": "affected", "version": "23.4", "versionType": "semver"}]}], "configurations": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(239, 250, 102);\"><span style=\"background-color: rgb(255, 255, 255);\">Required config:<br></span></span><tt><span style=\"background-color: rgb(239, 250, 102);\"><span style=\"background-color: rgb(255, 255, 255);\">[ system services web-management https ... ]</span></span></tt><br>"}], "value": "Required config:\n[ system services web-management https ... ]"}], "datePublic": "2024-10-09T16:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An Uncontrolled Resource Consumption vulnerability in the http daemon (httpd) of Juniper Networks Junos OS on SRX Series, QFX Series, MX Series and EX Series allows an unauthenticated, network-based attacker to cause Denial-of-Service (DoS).<br><br>An attacker can send specific HTTPS connection requests to the device, triggering the creation of processes that are not properly terminated. Over time, this leads to resource exhaustion, ultimately causing the device to crash and restart.<br><br>The following command can be used to monitor the resource usage:<br><tt><span style=\"background-color: var(--wht);\">user@host&gt; show system processes extensive | match mgd | count<br></span></tt><span style=\"background-color: var(--wht);\"><br>This issue affects Junos OS on SRX Series and EX Series:<br></span><span style=\"background-color: var(--wht);\">All versions before 21.4R3-S7,<br></span><span style=\"background-color: var(--wht);\">from 22.2 before 22.2R3-S4,<br></span><span style=\"background-color: var(--wht);\">from 22.3 before 22.3R3-S3,<br></span><span style=\"background-color: var(--wht);\">from 22.4 before 22.4R3-S2,<br></span><span style=\"background-color: var(--wht);\">from 23.2 before 23.2R2-S1,<br></span><span style=\"background-color: var(--wht);\">from 23.4 before 23.4R1-S2, 23.4R2.</span>"}], "value": "An Uncontrolled Resource Consumption vulnerability in the http daemon (httpd) of Juniper Networks Junos OS on SRX Series, QFX Series, MX Series and EX Series allows an unauthenticated, network-based attacker to cause Denial-of-Service (DoS).\n\nAn attacker can send specific HTTPS connection requests to the device, triggering the creation of processes that are not properly terminated. Over time, this leads to resource exhaustion, ultimately causing the device to crash and restart.\n\nThe following command can be used to monitor the resource usage:\nuser@host> show system processes extensive | match mgd | count\n\nThis issue affects Junos OS on SRX Series and EX Series:\nAll versions before 21.4R3-S7,\nfrom 22.2 before 22.2R3-S4,\nfrom 22.3 before 22.3R3-S3,\nfrom 22.4 before 22.4R3-S2,\nfrom 23.2 before 23.2R2-S1,\nfrom 23.4 before 23.4R1-S2, 23.4R2."}], "exploits": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."}], "value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "AUTOMATIC", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.7, "baseSeverity": "HIGH", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/R:A", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968", "shortName": "juniper", "dateUpdated": "2024-10-11T15:28:49.424Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://supportportal.juniper.net/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The following software releases have been updated to resolve this specific issue: 21.4R3-S7, 22.2R3-S4, 22.3R3-S3, 22.4R3-S2, 23.2R2-S1, 23.4R1-S2, 23.4R2, 24.2R1, and all subsequent releases."}], "value": "The following software releases have been updated to resolve this specific issue: 21.4R3-S7, 22.2R3-S4, 22.3R3-S3, 22.4R3-S2, 23.2R2-S1, 23.4R1-S2, 23.4R2, 24.2R1, and all subsequent releases."}], "source": {"advisory": "JSA88124", "defect": ["1783757"], "discovery": "USER"}, "title": "Junos OS: SRX Series, QFX Series, MX Series and EX Series: Receiving specific HTTPS traffic causes resource exhaustion", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "There are no known workarounds for this issue.<br><br>To reduce the risk of exploitation of this issue, use access lists or firewall filters to limit access to only trusted networks, hosts and users.<br>"}], "value": "There are no known workarounds for this issue.\n\nTo reduce the risk of exploitation of this issue, use access lists or firewall filters to limit access to only trusted networks, hosts and users."}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"affected": [{"vendor": "juniper", "product": "junos", "cpes": ["cpe:2.3:o:juniper:junos:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "0", "status": "affected", "lessThan": "21.4r3-s7", "versionType": "semver"}, {"version": "22.2", "status": "affected", "lessThan": "22.2r3-s4", "versionType": "semver"}, {"version": "22.3", "status": "affected", "lessThan": "22.3r3-s3", "versionType": "semver"}, {"version": "22.4", "status": "affected", "lessThan": "22.4r3-s2", "versionType": "semver"}, {"version": "23.2", "status": "affected", "lessThan": "23.2r2-s1", "versionType": "semver"}, {"version": "23.4", "status": "affected", "lessThan": "23.4r1-s2", "versionType": "semver"}, {"version": "23.4", "status": "affected", "lessThan": "23.4r2", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-11T17:38:34.095724Z", "id": "CVE-2024-47497", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-11T17:41:24.159Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-47497", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-11T17:38:34.095724Z"}}}], "affected": [{"cpes": ["cpe:2.3:o:juniper:junos:*:*:*:*:*:*:*:*"], "vendor": "juniper", "product": "junos", "versions": [{"status": "affected", "version": "0", "lessThan": "21.4r3-s7", "versionType": "semver"}, {"status": "affected", "version": "22.2", "lessThan": "22.2r3-s4", "versionType": "semver"}, {"status": "affected", "version": "22.3", "lessThan": "22.3r3-s3", "versionType": "semver"}, {"status": "affected", "version": "22.4", "lessThan": "22.4r3-s2", "versionType": "semver"}, {"status": "affected", "version": "23.2", "lessThan": "23.2r2-s1", "versionType": "semver"}, {"status": "affected", "version": "23.4", "lessThan": "23.4r1-s2", "versionType": "semver"}, {"status": "affected", "version": "23.4", "lessThan": "23.4r2", "versionType": "custom"}], "defaultStatus": "unaffected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-11T17:41:11.025Z"}}], "cna": {"title": "Junos OS: SRX Series, QFX Series, MX Series and EX Series: Receiving specific HTTPS traffic causes resource exhaustion", "source": {"defect": ["1783757"], "advisory": "JSA88124", "discovery": "USER"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "AUTOMATIC", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/R:A", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Juniper Networks", "product": "Junos OS", "versions": [{"status": "affected", "version": "0", "lessThan": "21.4R3-S7", "versionType": "semver"}, {"status": "affected", "version": "22.2", "lessThan": "22.2R3-S4", "versionType": "semver"}, {"status": "affected", "version": "22.3", "lessThan": "22.3R3-S3", "versionType": "semver"}, {"status": "affected", "version": "22.4", "lessThan": "22.4R3-S2", "versionType": "semver"}, {"status": "affected", "version": "23.2", "lessThan": "23.2R2-S1", "versionType": "semver"}, {"status": "affected", "version": "23.4", "lessThan": "23.4R1-S2, 23.4R2", "versionType": "semver"}], "platforms": ["SRX Series", "EX Series", "QFX Series", "MX Series"], "defaultStatus": "unaffected"}], "exploits": [{"lang": "en", "value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability.", "supportingMedia": [{"type": "text/html", "value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability.", "base64": false}]}], "solutions": [{"lang": "en", "value": "The following software releases have been updated to resolve this specific issue: 21.4R3-S7, 22.2R3-S4, 22.3R3-S3, 22.4R3-S2, 23.2R2-S1, 23.4R1-S2, 23.4R2, 24.2R1, and all subsequent releases.", "supportingMedia": [{"type": "text/html", "value": "The following software releases have been updated to resolve this specific issue: 21.4R3-S7, 22.2R3-S4, 22.3R3-S3, 22.4R3-S2, 23.2R2-S1, 23.4R1-S2, 23.4R2, 24.2R1, and all subsequent releases.", "base64": false}]}], "datePublic": "2024-10-09T16:00:00.000Z", "references": [{"url": "https://supportportal.juniper.net/", "tags": ["vendor-advisory"]}], "workarounds": [{"lang": "en", "value": "There are no known workarounds for this issue.\n\nTo reduce the risk of exploitation of this issue, use access lists or firewall filters to limit access to only trusted networks, hosts and users.", "supportingMedia": [{"type": "text/html", "value": "There are no known workarounds for this issue.<br><br>To reduce the risk of exploitation of this issue, use access lists or firewall filters to limit access to only trusted networks, hosts and users.<br>", "base64": false}]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "An Uncontrolled Resource Consumption vulnerability in the http daemon (httpd) of Juniper Networks Junos OS on SRX Series, QFX Series, MX Series and EX Series allows an unauthenticated, network-based attacker to cause Denial-of-Service (DoS).\n\nAn attacker can send specific HTTPS connection requests to the device, triggering the creation of processes that are not properly terminated. Over time, this leads to resource exhaustion, ultimately causing the device to crash and restart.\n\nThe following command can be used to monitor the resource usage:\nuser@host> show system processes extensive | match mgd | count\n\nThis issue affects Junos OS on SRX Series and EX Series:\nAll versions before 21.4R3-S7,\nfrom 22.2 before 22.2R3-S4,\nfrom 22.3 before 22.3R3-S3,\nfrom 22.4 before 22.4R3-S2,\nfrom 23.2 before 23.2R2-S1,\nfrom 23.4 before 23.4R1-S2, 23.4R2.", "supportingMedia": [{"type": "text/html", "value": "An Uncontrolled Resource Consumption vulnerability in the http daemon (httpd) of Juniper Networks Junos OS on SRX Series, QFX Series, MX Series and EX Series allows an unauthenticated, network-based attacker to cause Denial-of-Service (DoS).<br><br>An attacker can send specific HTTPS connection requests to the device, triggering the creation of processes that are not properly terminated. Over time, this leads to resource exhaustion, ultimately causing the device to crash and restart.<br><br>The following command can be used to monitor the resource usage:<br><tt><span style=\"background-color: var(--wht);\">user@host&gt; show system processes extensive | match mgd | count<br></span></tt><span style=\"background-color: var(--wht);\"><br>This issue affects Junos OS on SRX Series and EX Series:<br></span><span style=\"background-color: var(--wht);\">All versions before 21.4R3-S7,<br></span><span style=\"background-color: var(--wht);\">from 22.2 before 22.2R3-S4,<br></span><span style=\"background-color: var(--wht);\">from 22.3 before 22.3R3-S3,<br></span><span style=\"background-color: var(--wht);\">from 22.4 before 22.4R3-S2,<br></span><span style=\"background-color: var(--wht);\">from 23.2 before 23.2R2-S1,<br></span><span style=\"background-color: var(--wht);\">from 23.4 before 23.4R1-S2, 23.4R2.</span>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "configurations": [{"lang": "en", "value": "Required config:\n[ system services web-management https ... ]", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(239, 250, 102);\"><span style=\"background-color: rgb(255, 255, 255);\">Required config:<br></span></span><tt><span style=\"background-color: rgb(239, 250, 102);\"><span style=\"background-color: rgb(255, 255, 255);\">[ system services web-management https ... ]</span></span></tt><br>", "base64": false}]}], "providerMetadata": {"orgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968", "shortName": "juniper", "dateUpdated": "2024-10-11T15:28:49.424Z"}}}, "cveMetadata": {"cveId": "CVE-2024-47497", "state": "PUBLISHED", "dateUpdated": "2024-10-11T17:41:24.159Z", "dateReserved": "2024-09-25T15:26:52.609Z", "assignerOrgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968", "datePublished": "2024-10-11T15:28:49.424Z", "assignerShortName": "juniper"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An Uncontrolled Resource Consumption vulnerability in the http daemon (httpd) of Juniper Networks Junos OS on SRX Series, QFX Series, MX Series and EX Series allows an unauthenticated, network-based attacker to cause Denial-of-Service (DoS).\n\nAn attacker can send specific HTTPS connection requests to the device, triggering the creation of processes that are not properly terminated. Over time, this leads to resource exhaustion, ultimately causing the device to crash and restart.\n\nThe following command can be used to monitor the resource usage:\nuser@host> show system processes extensive | match mgd | count\n\nThis issue affects Junos OS on SRX Series and EX Series:\nAll versions before 21.4R3-S7,\nfrom 22.2 before 22.2R3-S4,\nfrom 22.3 before 22.3R3-S3,\nfrom 22.4 before 22.4R3-S2,\nfrom 23.2 before 23.2R2-S1,\nfrom 23.4 before 23.4R1-S2, 23.4R2."}, {"lang": "es", "value": "Una vulnerabilidad de consumo descontrolado de recursos en el daemon http (httpd) del sistema operativo Junos de Juniper Networks en las series SRX, QFX, MX y EX permite que un atacante no autenticado basado en la red provoque una denegaci\u00f3n de servicio (DoS). Un atacante puede enviar solicitudes de conexi\u00f3n HTTPS espec\u00edficas al dispositivo, lo que desencadena la creaci\u00f3n de procesos que no se terminan correctamente. Con el tiempo, esto conduce al agotamiento de los recursos, lo que finalmente hace que el dispositivo se bloquee y se reinicie. Se puede utilizar el siguiente comando para supervisar el uso de los recursos: user@host> show system processes comprehensive | match mgd | Este problema afecta a Junos OS en las series SRX y EX: todas las versiones anteriores a 21.4R3-S7, desde 22.2 hasta 22.2R3-S4, desde 22.3 hasta 22.3R3-S3, desde 22.4 hasta 22.4R3-S2, desde 23.2 hasta 23.2R2-S1, desde 23.4 hasta 23.4R1-S2, 23.4R2."}], "id": "CVE-2024-47497", "lastModified": "2024-10-15T12:58:51.050", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "sirt@juniper.net", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "automatable": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "recovery": "AUTOMATIC", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "subsequentSystemIntegrity": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:A/V:X/RE:X/U:X", "version": "4.0", "vulnerabilityResponseEffort": "NOT_DEFINED", "vulnerableSystemAvailability": "HIGH", "vulnerableSystemConfidentiality": "NONE", "vulnerableSystemIntegrity": "NONE"}, "source": "sirt@juniper.net", "type": "Secondary"}]}, "published": "2024-10-11T16:15:10.340", "references": [{"source": "sirt@juniper.net", "url": "https://supportportal.juniper.net/"}], "sourceIdentifier": "sirt@juniper.net", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "sirt@juniper.net", "type": "Primary"}]}

{}