CVE-2022-22211: Denial of Service (DoS) in Juniper Networks Junos OS Evolved
A limitless resource allocation vulnerability in FPC resources of Juniper Networks Junos OS Evolved on PTX Series allows an unprivileged attacker to cause Denial of Service (DoS). Continuously polling the SNMP jnxCosQstatTable causes the FPC to run out of GUID space, causing a Denial of Service to the FPC resources. When the FPC runs out of the GUID space, you will see the following syslog messages. The evo-aftmand-bt process is asserting. fpc1 evo-aftmand-bt[17556]: %USER-3: get_next_guid: Ran out of Guid Space start 1748051689472 end 1752346656767 fpc1 audit[17556]: %AUTH-5: ANOM_ABEND auid=4294967295 uid=0 gid=0 ses=4294967295 pid=17556 comm="EvoAftManBt-mai" exe="/usr/sbin/evo-aftmand-bt" sig=6 fpc1 kernel: %KERN-5: audit: type=1701 audit(1648567505.119:57): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=17556 comm="EvoAftManBt-mai" exe="/usr/sbin/evo-aftmand-bt" sig=6 fpc1 emfd-fpa[14438]: %USER-5: Alarm set: APP color=red, class=CHASSIS, reason=Application evo-aftmand-bt fail on node Fpc1 fpc1 emfd-fpa[14438]: %USER-3-EMF_FPA_ALARM_REP: RaiseAlarm: Alarm(Location: /Chassis[0]/Fpc[1] Module: sysman Object: evo-aftmand-bt:0 Error: 2) reported fpc1 sysepochman[12738]: %USER-5-SYSTEM_REBOOT_EVENT: Reboot [node] [ungraceful reboot] [evo-aftmand-bt exited] The FPC resources can be monitored using the following commands: user@router> start shell [vrf:none] user@router-re0:~$ cli -c "show platform application-info allocations app evo-aftmand-bt" | grep ^fpc | grep -v Route | grep -i -v Nexthop | awk '{total[$1] += $5} END { for (key in total) { print key " " total[key]/4294967296 }}' Once the FPCs become unreachable they must be manually restarted as they do not self-recover. This issue affects Juniper Networks Junos OS Evolved on PTX Series: All versions prior to 20.4R3-S4-EVO; 21.1-EVO version 21.1R1-EVO and later versions; 21.2-EVO version 21.2R1-EVO and later versions; 21.3-EVO versions prior to 21.3R3-EVO; 21.4-EVO versions prior to 21.4R2-EVO; 22.1-EVO versions prior to 22.1R2-EVO.
AI Analysis
Technical Summary
CVE-2022-22211 is a high-severity Denial of Service (DoS) vulnerability affecting Juniper Networks Junos OS Evolved running on PTX Series routers. The vulnerability arises due to a limitless resource allocation flaw in the Flexible PIC Concentrator (FPC) resources, specifically related to the allocation of GUID (Globally Unique Identifier) space. An unprivileged attacker can exploit this by continuously polling the SNMP jnxCosQstatTable, which leads to exhaustion of the GUID space on the FPC. When the GUID space is depleted, the evo-aftmand-bt process responsible for managing certain FPC resources crashes, triggering syslog messages indicating the failure and causing the FPC to become unreachable. This results in a denial of service condition where the affected FPC resources stop functioning and require manual reboot to recover, as they do not self-heal. The vulnerability affects multiple versions of Junos OS Evolved on PTX Series, including all versions prior to 20.4R3-S4-EVO and several subsequent releases up to 22.1R2-EVO. The vulnerability does not require authentication or user interaction, and can be triggered remotely over the network by sending crafted SNMP requests. The CVSS 3.1 base score is 7.5, reflecting a high severity due to network attack vector, low attack complexity, no privileges required, no user interaction, and impact limited to availability (no confidentiality or integrity impact). This vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling). No known exploits in the wild have been reported, but the ease of exploitation and impact on critical network infrastructure make it a significant threat to organizations using affected Juniper PTX routers.
Potential Impact
For European organizations, the impact of this vulnerability can be substantial, especially for those relying on Juniper PTX Series routers for core network routing and infrastructure. The PTX Series routers are commonly deployed in large enterprise networks, telecommunications providers, and data centers. A successful exploitation results in denial of service of critical routing components, potentially disrupting network connectivity, causing outages, and impacting business continuity. This can affect service providers delivering internet, cloud, or managed services, as well as enterprises with critical internal networks. The manual intervention required to recover from the DoS condition increases operational overhead and downtime. Given the vulnerability can be triggered remotely without authentication, it poses a risk of targeted attacks or opportunistic scanning by threat actors. The lack of confidentiality or integrity impact limits data breach risks, but availability disruption in network infrastructure can have cascading effects on dependent services and applications. Organizations in Europe with critical infrastructure or high availability requirements should prioritize addressing this vulnerability to maintain network resilience and service reliability.
Mitigation Recommendations
1. Immediate patching: Upgrade Junos OS Evolved on PTX Series routers to fixed versions as recommended by Juniper Networks (versions 20.4R3-S4-EVO and later patched releases). 2. SNMP access control: Restrict SNMP access to trusted management networks only, using access control lists (ACLs) or firewall rules to prevent unauthorized external polling of the jnxCosQstatTable. 3. Monitoring and alerting: Implement monitoring of FPC resource usage and syslog messages related to evo-aftmand-bt process failures to detect early signs of exploitation or resource exhaustion. 4. Rate limiting: Where possible, apply rate limiting on SNMP queries targeting the jnxCosQstatTable to mitigate excessive polling attempts. 5. Network segmentation: Isolate management interfaces and SNMP services from general user or internet-facing networks to reduce exposure. 6. Incident response readiness: Prepare operational procedures for manual reboot of affected FPCs to minimize downtime if an attack occurs. 7. Vendor communication: Stay updated with Juniper advisories and apply any additional recommended mitigations or patches promptly. These steps go beyond generic advice by focusing on controlling SNMP access, monitoring specific process failures, and operational readiness for recovery.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Belgium, Poland, Switzerland
CVE-2022-22211: Denial of Service (DoS) in Juniper Networks Junos OS Evolved
Description
A limitless resource allocation vulnerability in FPC resources of Juniper Networks Junos OS Evolved on PTX Series allows an unprivileged attacker to cause Denial of Service (DoS). Continuously polling the SNMP jnxCosQstatTable causes the FPC to run out of GUID space, causing a Denial of Service to the FPC resources. When the FPC runs out of the GUID space, you will see the following syslog messages. The evo-aftmand-bt process is asserting. fpc1 evo-aftmand-bt[17556]: %USER-3: get_next_guid: Ran out of Guid Space start 1748051689472 end 1752346656767 fpc1 audit[17556]: %AUTH-5: ANOM_ABEND auid=4294967295 uid=0 gid=0 ses=4294967295 pid=17556 comm="EvoAftManBt-mai" exe="/usr/sbin/evo-aftmand-bt" sig=6 fpc1 kernel: %KERN-5: audit: type=1701 audit(1648567505.119:57): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=17556 comm="EvoAftManBt-mai" exe="/usr/sbin/evo-aftmand-bt" sig=6 fpc1 emfd-fpa[14438]: %USER-5: Alarm set: APP color=red, class=CHASSIS, reason=Application evo-aftmand-bt fail on node Fpc1 fpc1 emfd-fpa[14438]: %USER-3-EMF_FPA_ALARM_REP: RaiseAlarm: Alarm(Location: /Chassis[0]/Fpc[1] Module: sysman Object: evo-aftmand-bt:0 Error: 2) reported fpc1 sysepochman[12738]: %USER-5-SYSTEM_REBOOT_EVENT: Reboot [node] [ungraceful reboot] [evo-aftmand-bt exited] The FPC resources can be monitored using the following commands: user@router> start shell [vrf:none] user@router-re0:~$ cli -c "show platform application-info allocations app evo-aftmand-bt" | grep ^fpc | grep -v Route | grep -i -v Nexthop | awk '{total[$1] += $5} END { for (key in total) { print key " " total[key]/4294967296 }}' Once the FPCs become unreachable they must be manually restarted as they do not self-recover. This issue affects Juniper Networks Junos OS Evolved on PTX Series: All versions prior to 20.4R3-S4-EVO; 21.1-EVO version 21.1R1-EVO and later versions; 21.2-EVO version 21.2R1-EVO and later versions; 21.3-EVO versions prior to 21.3R3-EVO; 21.4-EVO versions prior to 21.4R2-EVO; 22.1-EVO versions prior to 22.1R2-EVO.
AI-Powered Analysis
Technical Analysis
CVE-2022-22211 is a high-severity Denial of Service (DoS) vulnerability affecting Juniper Networks Junos OS Evolved running on PTX Series routers. The vulnerability arises due to a limitless resource allocation flaw in the Flexible PIC Concentrator (FPC) resources, specifically related to the allocation of GUID (Globally Unique Identifier) space. An unprivileged attacker can exploit this by continuously polling the SNMP jnxCosQstatTable, which leads to exhaustion of the GUID space on the FPC. When the GUID space is depleted, the evo-aftmand-bt process responsible for managing certain FPC resources crashes, triggering syslog messages indicating the failure and causing the FPC to become unreachable. This results in a denial of service condition where the affected FPC resources stop functioning and require manual reboot to recover, as they do not self-heal. The vulnerability affects multiple versions of Junos OS Evolved on PTX Series, including all versions prior to 20.4R3-S4-EVO and several subsequent releases up to 22.1R2-EVO. The vulnerability does not require authentication or user interaction, and can be triggered remotely over the network by sending crafted SNMP requests. The CVSS 3.1 base score is 7.5, reflecting a high severity due to network attack vector, low attack complexity, no privileges required, no user interaction, and impact limited to availability (no confidentiality or integrity impact). This vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling). No known exploits in the wild have been reported, but the ease of exploitation and impact on critical network infrastructure make it a significant threat to organizations using affected Juniper PTX routers.
Potential Impact
For European organizations, the impact of this vulnerability can be substantial, especially for those relying on Juniper PTX Series routers for core network routing and infrastructure. The PTX Series routers are commonly deployed in large enterprise networks, telecommunications providers, and data centers. A successful exploitation results in denial of service of critical routing components, potentially disrupting network connectivity, causing outages, and impacting business continuity. This can affect service providers delivering internet, cloud, or managed services, as well as enterprises with critical internal networks. The manual intervention required to recover from the DoS condition increases operational overhead and downtime. Given the vulnerability can be triggered remotely without authentication, it poses a risk of targeted attacks or opportunistic scanning by threat actors. The lack of confidentiality or integrity impact limits data breach risks, but availability disruption in network infrastructure can have cascading effects on dependent services and applications. Organizations in Europe with critical infrastructure or high availability requirements should prioritize addressing this vulnerability to maintain network resilience and service reliability.
Mitigation Recommendations
1. Immediate patching: Upgrade Junos OS Evolved on PTX Series routers to fixed versions as recommended by Juniper Networks (versions 20.4R3-S4-EVO and later patched releases). 2. SNMP access control: Restrict SNMP access to trusted management networks only, using access control lists (ACLs) or firewall rules to prevent unauthorized external polling of the jnxCosQstatTable. 3. Monitoring and alerting: Implement monitoring of FPC resource usage and syslog messages related to evo-aftmand-bt process failures to detect early signs of exploitation or resource exhaustion. 4. Rate limiting: Where possible, apply rate limiting on SNMP queries targeting the jnxCosQstatTable to mitigate excessive polling attempts. 5. Network segmentation: Isolate management interfaces and SNMP services from general user or internet-facing networks to reduce exposure. 6. Incident response readiness: Prepare operational procedures for manual reboot of affected FPCs to minimize downtime if an attack occurs. 7. Vendor communication: Stay updated with Juniper advisories and apply any additional recommended mitigations or patches promptly. These steps go beyond generic advice by focusing on controlling SNMP access, monitoring specific process failures, and operational readiness for recovery.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- juniper
- Date Reserved
- 2021-12-21T00:00:00.000Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9816c4522896dcbd6efa
Added to database: 5/21/2025, 9:08:38 AM
Last enriched: 7/4/2025, 10:13:09 PM
Last updated: 8/11/2025, 6:49:38 AM
Views: 17
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.