Security Advisories

 

Arista Networks is committed to maintaining the highest standards of security across our product portfolio. Leveraging extensive testing and monitoring of vulnerabilities to isolate and neutralize threats early, Arista's Product Security Incident Response Team (PSIRT) provides global coverage for public reporting of possible security vulnerabilities across the product portfolio.

The PSIRT team monitors industry-wide vulnerability reporting as well as providing a single point of contact for customers and interested third parties to investigate and identify potential threats. The PSIRT team also works to communicate these issues back to the user community in a timely manner.

Arista's approach to vulnerability management and links to best practice guidelines can be found here.

For technical assistance with workarounds and hotfix installations recommended in security advisories, please contact the Arista Support team at 이 이메일 주소가 스팸봇으로부터 보호됩니다. 확인하려면 자바스크립트 활성화가 필요합니다..

Report security vulnerabilities found in Arista products to the PSIRT team via 이 이메일 주소가 스팸봇으로부터 보호됩니다. 확인하려면 자바스크립트 활성화가 필요합니다.. It is recommended to use Arista's PGP key for secure and private communication directly with the PSIRT team.

Arista PSIRT is happy to work with researchers on discovered vulnerabilities in Arista products, the assignment of CVEs, and timelines for responsible disclosure. If a researcher discovers a new vulnerability they will be acknowledged in the advisory related to the vulnerability. Arista PSIRT is interested in receiving reports on issues affecting features in both Arista code as well as Open Source Software used in Arista products. Security issues found in Open Source Software which do not affect Arista products are out of the scope of Arista and should be referred to the appropriate CNA found here.

 

PSIRT Advisories

The following advisories and referenced materials are provided on an "as is" basis for use at your own risk. Arista Networks reserves the right to change or update the advisories without notice at any time.

Security Advisory 0083

On affected versions of the CloudVision Portal improper access controls on the connection from devices to CloudVision could enable a malicious actor with network access to CloudVision to get broader access to telemetry and configuration data within the system than intended. This advisory impacts the Arista CloudVision Portal product when run on-premise. It does not impact CloudVision as-a-Service.

Security Advisory 0082

On affected modular platforms running Arista EOS equipped with both redundant supervisor modules and having the redundancy protocol enabled, an existing unprivileged user can login to the standby supervisor as a root user, leading to a privilege escalation. Valid user credentials are required in order to exploit this vulnerability.

Security Advisory 0081

Arista Networks is providing this security update in response to the following related security vulnerabilities:

On Tuesday, November 1st it was announced that OpenSSL versions from 3.0.0 to 3.0.6 are vulnerable to two high severity vulnerabilities that if exploited, could result in significant disclosure of sensitive information from memory, remote compromise of system private keys, and potentially remote code execution.

Security Advisory 0080

This advisory documents the impact of 4 publicly disclosed vulnerabilities within Ethernet encapsulation protocols on Arista products. These issues affect multiple networking vendors and the coordination of this disclosure has been handled by IEEE. Affected Arista products include EOS systems and Wi-Fi Access Point. The affected software releases are listed below.

Security Advisory 0079

The CVE-ID tracking this issue: CVE-2022-29071
CVSSv3.1 Base Score: 4.0 (AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Common Weakness Enumeration (CWE): CWE-200
(Exposure of Sensitive Information to an Unauthorized Actor)
The internal bug tracking this issue: BUG 695468

Security Advisory 0078

July 19th, 2022

The CVE-ID tracking this issue: CVE-2021-28511
CVSSv3.1 Base Score: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N)
Common Weakness Enumeration (CWE): CWE-284 Improper Access Control
The internal bug tracking this issue: BUG 641088

Security Advisory 0077

May 27th, 2022

This security advisory addresses CVEs:

CVE-2021-28508

  • CVSSv3.1 Base Score: 6.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H)
  • CWE: CWE-255 Credentials Management Errors
  • Tracking bug:  BUG635204 (TerminAttr), BUG664159 (Octa)

Security Advisory 0076

April 26th, 2022

The CVE-ID tracking this issue: CVE-2021-28510
CVSSv3.1 Base Score: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Common Weakness Enumeration: CWE-400 (Uncontrolled Resource Consumption)
This vulnerability is being tracked by BUG638107

Security Advisory 0075

July 20th, 2022

The CVE-ID tracking this issue: CVE-2022-0778
CVSSv3.1 Base Score: 7.5( CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H )
CWE: CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
This vulnerability is being tracked by BUG674519(EOS) and BUG680261(MOS)

Security Advisory 0074

April 1st, 2022

The CVE-ID tracking this issue: CVE-2021-28504
CVSSv3.1 Base Score: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
Common Weakness Enumeration: CWE-284 Improper Access Control
This vulnerability is being tracked by BUG 614735