CVE-2023-36849

MEDIUM

Juniper Networks Junos OS/Junos OS Evolved - DoS

Title source: llm

Description

An Improper Check or Handling of Exceptional Conditions vulnerability in the Layer-2 control protocols daemon (l2cpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated adjacent attacker to cause a Denial of Service (DoS). When a malformed LLDP packet is received, l2cpd will crash and restart. The impact of the l2cpd crash is reinitialization of STP protocols (RSTP, MSTP or VSTP), and MVRP and ERP. Also, if any services depend on LLDP state (like PoE or VoIP device recognition), then these will also be affected. Continued receipt of such packets will lead to a sustained Denial of Service. This issue affects: Juniper Networks Junos OS 21.4 versions prior to 21.4R3-S3; 22.1 versions prior to 22.1R3-S3; 22.2 versions prior to 22.2R2-S1, 22.2R3; 22.3 versions prior to 22.3R2. Juniper Networks Junos OS Evolved 21.4-EVO versions prior to 21.4R3-S2-EVO; 22.1-EVO versions prior to 22.1R3-S3-EVO; 22.2-EVO versions prior to 22.2R2-S1-EVO, 22.2R3-EVO; 22.3-EVO versions prior to 22.3R2-EVO.

References (1)

[Mitigation, Vendor Advisory] https://supportportal.juniper.net/JSA71660

Scores

CVSS v3 6.5

EPSS 0.0009

EPSS Percentile 26.1%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-703

Status published

Products (8)

juniper/junos 21.4 (10 CPE variants)

juniper/junos 22.1 r1 (9 CPE variants)

juniper/junos 22.2 r1 (4 CPE variants)

juniper/junos 22.3 r1 (3 CPE variants)

juniper/junos_os_evolved 21.4 (9 CPE variants)

juniper/junos_os_evolved 22.1 r1 (8 CPE variants)

juniper/junos_os_evolved 22.2 r1 (3 CPE variants)

juniper/junos_os_evolved 22.3 r1 (3 CPE variants)

Published Jul 14, 2023

Tracked Since Feb 18, 2026