This issue affects MX Series and EX9200 Series with Trio-based PFEs (Packet Forwarding Engines), including MX-MPC1-3D, MX-MPC1E-3D, MX-MPC2-3D, MX-MPC2E-3D, MPC-3D-16XGE, and CHAS-MXxx Series MPCs.
An administrator can use the following CLI command to monitor the status of memory usage level of the MPC: show system resource-monitor fpc FPC Resource Usage Summary Free Heap Mem Watermark : 20 % Free NH Mem Watermark : 20 % Free Filter Mem Watermark : 20 % * - Watermark reached Slot # % Heap Free RTT Average RTT 1 87 PFE # % ENCAP mem Free % NH mem Free % FW mem Free 0 NA 88 99 1 NA 89 99 When the issue is occurring, the value of “% NH mem Free” will go down until the MPC restarts. When this issue occurs, there will be temporary traffic interruption until the MPC is restored. On Juniper Networks MX Series and EX9200 Series platforms with Trio-based MPCs (Modular Port Concentrators) where Integrated Routing and Bridging (IRB) interfaces are configured and mapped to a VPLS instance or a Bridge-Domain, certain Layer 2 network events at Customer Edge (CE) devices may cause memory leaks in the MPC of Provider Edge (PE) devices which can cause an out of memory condition and MPC restart.
This issue does not affect Junos OS Evolved. This issue does not affect EX Series devices. This issue does not affect releases prior to Junos OS 16.1R1. On QFX10008, QFX10016 devices, an indicator of compromise may be the existence of DCPFE core files. Continued receipt and processing of these genuine packets will create a sustained Denial of Service (DoS) condition. A reboot is required to restore service and clear the kernel memory. On QFX10008, QFX10016 devices, depending on the number of FPCs involved in an attack, one more more FPCs may crash and traffic through the device may be degraded in other ways, until the attack traffic stops. 18.3 versions prior to 18.3R3-S4 18.4 versions prior to 18.4R1-S8, 18.4R2-S6, 18.4R3-S7 19.1 versions prior to 19.1R1-S6, 19.1R2-S2, 19.1R3-S4 19.2 versions prior to 19.2R1-S6, 19.2R3-S2 19.3 versions prior to 19.3R2-S6, 19.3R3-S1 19.4 versions prior to 19.4R1-S4, 19.4R2-S3, 19.4R3-S1 20.1 versions prior to 20.1R2 20.2 versions prior to 20.2R2-S1, 20.2R3 20.3 versions prior to 20.3R1-S1, 20.3R2 This issue does not affect Juniper Networks Junos OS versions prior to 18.2R1.Ī kernel memory leak in QFX10002-32Q, QFX10002-60C, QFX10002-72Q, QFX10008, QFX10016 devices Flexible PIC Concentrators (FPCs) on Juniper Networks Junos OS allows an attacker to send genuine packets destined to the device to cause a Denial of Service (DoS) to the device. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.Ī vulnerability has been identified in NX 1953 Series (All versions show system processes extensive | match "username|netstat" PID USERNAME PRI NICE SIZE RES STATE C TIME WCPU COMMAND 21181 root 100 0 5458M 4913M CPU3 2 0:59 97.27% netstat The following log message might be observed if this issue happens: kernel: %KERN-3: pid 21181 (netstat), uid 0, was killed: out of swap space This issue affects Juniper Networks Junos OS 18.2 versions prior to 18.2R2-S8, 18.2R3-S7.
The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed.