Arista Networks is committed to maintaining the highest standards of security across our product portfolio. Leveraging extensive testing and monitoring of vulnerabilities to isolate and neutralize threats early, Arista's Product Security Incident Response Team (PSIRT) provides global coverage for public reporting of possible security vulnerabilities across the product portfolio.
The PSIRT team monitors industry-wide vulnerability reporting as well as providing a single point of contact for customers and interested third parties to investigate and identify potential threats. The PSIRT team also works to communicate these issues back to the user community in a timely manner.
Arista's approach to vulnerability management and links to best practice guidelines can be found here.
Arista PSIRT is happy to work with researchers on discovered vulnerabilities in Arista products, the assignment of CVEs, and timelines for responsible disclosure. If a researcher discovers a new vulnerability they will be acknowledged in the advisory related to the vulnerability. Arista PSIRT is interested in receiving reports on issues affecting features in both Arista code as well as Open Source Software used in Arista products. Security issues found in Open Source Software which do not affect Arista products are out of the scope of Arista and should be referred to the appropriate CNA found here.
The following advisories and referenced materials are provided on an "as is" basis for use at your own risk. Arista Networks reserves the right to change or update the advisories without notice at any time.
January 28th 2015
Arista 7000 Series Products and Arista EOS are not remotely exploitable by CVE-2015- 0235
October 20th 2014
SSLv3 is vulnerable to potential man in the middle attacks (CVE-2014-3566)
January 9th 2015
Arista 7000 Series Products and Arista EOS are not vulnerable to NTP CVE-2014-9293, CVE-2014-9294, CVE-2014-9295, and CVE-2014-9296.
September 29th 2014
Shell command Bash code injection vulnerability (CVE-2014-6271, CVE-2014-6278, and CVE-2014-7169)
June 9th 2014
Open SSL clients running on Arista EOS vulnerable to SSL/TLS MITM vulnerability (CVE-2014-0224)
April 9th 2014
Arista 7000 Series Products and Arista EOS Not Vulnerable to OpenSSL CVE-2014-0160
February 14, 2014
Affected Software Version: EOS-4.13.0F through EOS-4.13.1F.
September 12, 2012
Null pointer dereference in nf_conntrack_ipv6. Affected software releases include EOS-4.8.0 through EOS-4.8.7, EOS-4.9.0 through EOS-4.9.5, EOS-4.10, EOS-4.10.1
June 17, 2008
SNMP v3 authentication may be bypassed on Arista Networks Switches running EOS 2.0.2 or earlier. Recommendation is to upgrade to EOS 2.0.3 or later.