CVE-2022-22215 — Missing Release of Resource after Effective Lifetime in Networks Junos OS

CWE-772 — Missing Release of Resource after Effective Lifetime4 documents4 sources

Severity

5.5MEDIUMNVD

CNA6.5

EPSS

0.3%

top 47.85%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Juniper Networks Junos OS Juniper Networks Junos OS Evolved Juniper Junos +1 more

Timeline

PublishedJul 20

Latest updateJul 21

Description

A Missing Release of File Descriptor or Handle after Effective Lifetime vulnerability in plugable authentication module (PAM) of Juniper Networks Junos OS and Junos OS Evolved allows a locally authenticated attacker with low privileges to cause a Denial of Service (DoS). It is possible that after the termination of a gRPC connection the respective/var/run/.env file is not getting deleted which if occurring repeatedly can cause inode exhaustion. Inode exhaustion can present itself in two differen…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages4 packages

▶CVEListV5juniper_networks/junos_os_evolvedunspecified — 20.4R3-EVO+2

▶CVEListV5juniper_networks/junos_osunspecified — 19.1R3-S8+9

▶NVDjuniper/junos_os_evolved< 20.4+3

▶NVDjuniper/junos< 19.1+10

🔴Vulnerability Details

GHSA

GHSA-g948-gw7m-3495: A Missing Release of File Descriptor or Handle after Effective Lifetime vulnerability in plugable authentication module (PAM) of Juniper Networks Juno↗2022-07-21

▶

CVEList

Junos OS and Junos OS Evolved: /var/run/<pid>.env files are potentially not deleted during termination of a gRPC connection causing inode exhaustion↗2022-07-20

▶

📋Vendor Advisories

Juniper

CVE-2022-22215: A Missing Release of File Descriptor or Handle after Effective Lifetime vulnerability in plugable authentication module (PAM) of Juniper Networks Juno↗2022-07-20

▶