CVE-2018-0004 — Uncontrolled Resource Consumption in Networks Junos OS

CWE-400 — Uncontrolled Resource Consumption CWE-20 — Improper Input Validation CWE-125 — Out-of-bounds Read10 documents6 sources

Severity

6.5MEDIUMNVD

EPSS

0.3%

top 47.76%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Juniper Networks Junos OS Mercurial Juniper Junos +1 more

Timeline

PublishedJan 10

Latest updateMay 13

Description

A sustained sequence of different types of normal transit traffic can trigger a high CPU consumption denial of service condition in the Junos OS register and schedule software interrupt handler subsystem when a specific command is issued to the device. This affects one or more threads and conversely one or more running processes running on the system. Once this occurs, the high CPU event(s) affects either or both the forwarding and control plane. As a result of this condition the device can beco…

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

▶CVEListV5juniper_networks/junos_os12.1X46 — 12.1X46-D50+8

▶NVDjuniper/junos9 versions+8

▶juniperjuniper/junos_os

▶PyPImercurial/mercurial< 4.6.1

🔴Vulnerability Details

GHSA

GHSA-q499-5p9h-r886: A sustained sequence of different types of normal transit traffic can trigger a high CPU consumption denial of service condition in the Junos OS regis↗2022-05-13

▶

GHSA

Mercurial Improper Input Validation vulnerability↗2022-05-13

▶

📋Vendor Advisories

Red Hat

mercurial: Missing check for fragment start position in mpatch.c:mpatch_apply()↗2018-06-06

▶

Juniper

CVE-2018-0004: A sustained sequence of different types of normal transit traffic can trigger a high CPU consumption denial of service condition in the Junos OS regis↗2018-01-10

▶

💬Community

Bugzilla

CVE-2018-4204 webkitgtk: memory corruption processing maliciously crafted web content↗2018-05-11

▶

Bugzilla

CVE-2018-4121 webkitgtk: memory corruption processing maliciously crafted web content↗2018-05-11

▶

Bugzilla

CVE-2018-4200 webkitgtk: memory corruption processing maliciously crafted web content↗2018-05-11

▶

Bugzilla

CVE-2018-1064 libvirt: Incomplete fix for CVE-2018-5748 triggered by QEMU guest agent↗2018-03-01

▶

Bugzilla

CVE-2017-12189 jboss: unsafe chown of server.log in jboss init script allows privilege escalation (Incomplete fix for CVE-2016-8656)↗2017-10-09

▶