CVE-2023-28968

Junos OS: SRX Series: Policies that rely on JDPI-Decoder actions may fail open

Description

An Improperly Controlled Sequential Memory Allocation vulnerability in the Juniper Networks Deep Packet Inspection-Decoder (JDPI-Decoder) Application Signature component of Junos OS's AppID service on SRX Series devices will stop the JDPI-Decoder from identifying dynamic application traffic, allowing an unauthenticated network-based attacker to send traffic to the target device using the JDPI-Decoder, designed to inspect dynamic application traffic and take action upon this traffic, to instead begin to not take action and to pass the traffic through. An example session can be seen by running the following command and evaluating the output. user@device# run show security flow session source-prefix <address/mask> extensive Session ID: <session ID>, Status: Normal, State: Active Policy name: <name of policy> Dynamic application: junos:UNKNOWN, <<<<< LOOK HERE Please note, the JDPI-Decoder and the AppID SigPack are both affected and both must be upgraded along with the operating system to address the matter. By default, none of this is auto-enabled for automatic updates. This issue affects: Juniper Networks any version of the JDPI-Decoder Engine prior to version 5.7.0-47 with the JDPI-Decoder enabled using any version of the AppID SigPack prior to version 1.550.2-31 (SigPack 3533) on Junos OS on SRX Series: All versions prior to 19.1R3-S10; 19.2 versions prior to 19.2R3-S7; 19.3 versions prior to 19.3R3-S8; 19.4 versions prior to 19.4R3-S11; 20.1 version 20.1R1 and later versions prior to 20.2R3-S7; 20.3 version 20.3R1 and later versions prior to 20.4R3-S6; 21.1 versions prior to 21.1R3-S5; 21.2 versions prior to 21.2R3-S4; 21.3 versions prior to 21.3R3-S3; 21.4 versions prior to 21.4R3-S3; 22.1 versions prior to 22.1R3-S1; 22.2 versions prior to 22.2R2-S1, 22.2R3; 22.3 versions prior to 22.3R1-S2, 22.3R2;

Remediation

Solution:

  • The following software releases have been updated to resolve this specific issue: 19.4R3-S11, 20.2R3-S7, 20.4R3-S6, 21.1R3-S5, 21.2R3-S4, 21.3R3-S3, 21.4R3-S3, 22.1R3-S1, 22.2R2-S1, 22.2R3, 22.3R1-S2, 22.3R2, 22.4R1, and all subsequent releases. Please note: Prior to Junos OS: 21.2R3-S4, 21.3R3-S3, 21.3R3-S3, 21.4R3-S3, 22.1R3-S1, 22.2R2-S1, 22.2R3, 22.3R2, 22.4R1, and all subsequent releases SOF is incorrectly offloading short-lived flows leading to early exhaustion of NP memory, reducing overall device performance. Customers should review PRSearch PR1692100 for such details in conjunction with this advisory. Customers may choose to enable automatic updates for IDP or manually update the IDP security package to receive the fixes. To manually download the IDP signatures: a. Download the IDP security-package on the device: request security idp security-package download b. Check the status of the download: request security idp security-package download status c. Install the IDP security-package on the device: request security idp security-package install d. Check the status of the installation: request security idp security-package install status To enabled automatic update review the instuctions located at: https://supportportal.juniper.net/s/article/SRX-How-to-update-IDP-signature-database-automatically-on-a-SRX == When using AppID only: request services application-identification download request services application-identification download status request services application-identification install request services application-identification install status Or enable auto-update for AppID: [edit] user# set services application-identification download automatic ? Possible completions: interval Attempt to download new application package (hours) start-time Start time(MM-DD.hh:mm / YYYY-MM-DD.hh:mm:ss) Note: This updated signature package is not compatible with v4 engines.

Workaround:

  • There are no known workarounds for this issue other than disabling the AppID service. Additionally, a reboot will temporarily clear the problem until such time that updates can be taken. How long this lasts depends on the customer's network environment and the device being affected.

Categories

5.3
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.27%
Vendor Advisory juniper.net
Affected: Juniper Networks Junos OS
Affected: Juniper Networks AppID Service Sigpack
Affected: Juniper Networks JDPI-Decoder Engine
Published at:
Updated at:

References

Link Tags
https://supportportal.juniper.net/JSA70592 mitigation vendor advisory
https://www.juniper.net/documentation/us/en/software/jdpi/release-notes/jdpi-decoder-release-notes-october-2022/jdpi-decoder-release-notes-october-2022.pdf release notes
https://supportportal.juniper.net/s/article/SRX-How-to-update-IDP-signature-database-automatically-on-a-SRX product

Frequently Asked Questions

What is the severity of CVE-2023-28968?
CVE-2023-28968 has been scored as a medium severity vulnerability.
How to fix CVE-2023-28968?
To fix CVE-2023-28968: The following software releases have been updated to resolve this specific issue: 19.4R3-S11, 20.2R3-S7, 20.4R3-S6, 21.1R3-S5, 21.2R3-S4, 21.3R3-S3, 21.4R3-S3, 22.1R3-S1, 22.2R2-S1, 22.2R3, 22.3R1-S2, 22.3R2, 22.4R1, and all subsequent releases. Please note: Prior to Junos OS: 21.2R3-S4, 21.3R3-S3, 21.3R3-S3, 21.4R3-S3, 22.1R3-S1, 22.2R2-S1, 22.2R3, 22.3R2, 22.4R1, and all subsequent releases SOF is incorrectly offloading short-lived flows leading to early exhaustion of NP memory, reducing overall device performance. Customers should review PRSearch PR1692100 for such details in conjunction with this advisory. Customers may choose to enable automatic updates for IDP or manually update the IDP security package to receive the fixes. To manually download the IDP signatures: a. Download the IDP security-package on the device: request security idp security-package download b. Check the status of the download: request security idp security-package download status c. Install the IDP security-package on the device: request security idp security-package install d. Check the status of the installation: request security idp security-package install status To enabled automatic update review the instuctions located at: https://supportportal.juniper.net/s/article/SRX-How-to-update-IDP-signature-database-automatically-on-a-SRX == When using AppID only: request services application-identification download request services application-identification download status request services application-identification install request services application-identification install status Or enable auto-update for AppID: [edit] user# set services application-identification download automatic ? Possible completions: interval Attempt to download new application package (hours) start-time Start time(MM-DD.hh:mm / YYYY-MM-DD.hh:mm:ss) Note: This updated signature package is not compatible with v4 engines.
Is CVE-2023-28968 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2023-28968 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-28968?
CVE-2023-28968 affects Juniper Networks Junos OS, Juniper Networks AppID Service Sigpack, Juniper Networks JDPI-Decoder Engine.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.