Newsflash: Vulnerability in QFX series

 
Introduction
 
CVE-2016-1274: 2016-04 Security Bulletin: QFX Series: PFE panic while processing VXLAN packets. Not affected on QFX 10k series
 
CVE-2016-1273: 2016-04 Security Bulletin: QFX Series: Insufficient entropy on QFX systems. Affected on QFX5100, QFX10002
 
 
Explanation
 
CVE-2016-1274: A vulnerability in handling high rate of certain VXLAN packets may result in a PFE panic causing a denial of service condition. This issue only affects the QFX series devices with Junos 14.1X53 prior to 14.1X53-D30. QFX 10k series devices are not affected.
 
CVE-2016-1273: QFX series devices may have insufficient entropy. This can affect system mechanisms that depend on high-quality random numbers such as encryption and authentication.
 
Workaround
 
CVE-2016-1274: Disabling VXLAN or using firewall filters to block VXLAN packets will prevent the issue from occurring.
 
CVE-2016-1273: There are no known workarounds for this issue.
 
Conclusion
 
CVE-2016-1274: The following software releases have been updated to resolve this specific issue: Junos OS 14.1X53-D30 and all subsequent releases.
 
CVE-2016-1273: The following software releases have been updated to resolve this specific issue: Junos OS 13.2X51-D40, 14.1X53-D30, 15.1X53-D20 and all subsequent releases.
 
Priority
 
CVE-2016-1274: Medium
CVE-2016-1273: High
 
For more information and assistance please contact Infradata by phone +31 (0)71 750 15 25 or by mail support@infradata.nl.
 

Partners & references

Juniper Networks