Security Advisories
Arista Networks is committed to maintaining the highest standards of security across our product portfolio. Leveraging extensive testing and monitoring of vulnerabilities to isolate and neutralize threats early, Arista's Product Security Incident Response Team (PSIRT) provides global coverage for public reporting of possible security vulnerabilities across the product portfolio.
The PSIRT team monitors industry-wide vulnerability reporting as well as providing a single point of contact for customers and interested third parties to investigate and identify potential threats. The PSIRT team also works to communicate these issues back to the user community in a timely manner.
Arista's approach to vulnerability management and links to best practice guidelines can be found here.
For technical assistance with workarounds and hotfix installations recommended in security advisories, please contact the Arista Support team at 该邮件地址已受到反垃圾邮件插件保护。要显示它需要在浏览器中启用 JavaScript。.
Report security vulnerabilities found in Arista products to the PSIRT team via 该邮件地址已受到反垃圾邮件插件保护。要显示它需要在浏览器中启用 JavaScript。. It is recommended to use Arista's PGP key for secure and private communication directly with the PSIRT team.
Arista PSIRT is happy to work with researchers on discovered vulnerabilities in Arista products, the assignment of CVEs, and timelines for responsible disclosure. If a researcher discovers a new vulnerability they will be acknowledged in the advisory related to the vulnerability. Arista PSIRT is interested in receiving reports on issues affecting features in both Arista code as well as Open Source Software used in Arista products. Security issues found in Open Source Software which do not affect Arista products are out of the scope of Arista and should be referred to the appropriate CNA found here.
PSIRT Advisories
The following advisories and referenced materials are provided on an "as is" basis for use at your own risk. Arista Networks reserves the right to change or update the advisories without notice at any time.
Security Advisory 0077
May 27th, 2022
This security advisory addresses CVEs:
CVE-2021-28508
- CVSSv3.1 Base Score: 6.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H)
- CWE: CWE-255 Credentials Management Errors
- Tracking bug: BUG635204 (TerminAttr), BUG664159 (Octa)
Security Advisory 0076
April 26th, 2022
The CVE-ID tracking this issue: CVE-2021-28510
CVSSv3.1 Base Score: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Common Weakness Enumeration: CWE-400 (Uncontrolled Resource Consumption)
This vulnerability is being tracked by BUG638107
Security Advisory 0075
July 20th, 2022
The CVE-ID tracking this issue: CVE-2022-0778
CVSSv3.1 Base Score: 7.5( CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H )
CWE: CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
This vulnerability is being tracked by BUG674519(EOS) and BUG680261(MOS)
Security Advisory 0074
April 1st, 2022
The CVE-ID tracking this issue: CVE-2021-28504
CVSSv3.1 Base Score: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
Common Weakness Enumeration: CWE-284 Improper Access Control
This vulnerability is being tracked by BUG 614735
Security Advisory 0073
March 29th, 2022
The CVE-ID tracking this issue: CVE-2021-28505
CVSSv3.1 Base Score: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
Common Weakness Enumeration: CWE-284 Improper Access Control
This vulnerability is being tracked by BUG 609752
Security Advisory 0072
February 2nd, 2022
The CVE-ID tracking this issue: CVE-2021-28503
CVSSv3.1 Base Score: 7.4( CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H)
The internal bug tracking this issue: BUG606686
Security Advisory 0071
January 11th, 2022
This advisory documents the impact of several vulnerabilities related to OpenConfig transport protocols in Arista’s EOS software. Affected software releases are listed below.
Patches and Mitigation for Security Advisory 0070
January 31st, 2022
This document is a companion document to Security Advisory 0070 and it describes the impact and mitigation procedures for this advisory across affected products.
Security Advisory 0070
May 20th, 2022
Arista Networks is providing this security update in response to the following related security vulnerabilities. CVE-2021-44228 is a Remote Code Execution vulnerability in Apache Log4j2 utility (versions <=2.14.1). An attacker who can control log messages or log message parameters can bypass authentication and execute arbitrary code loaded from malicious LDAP servers when message lookup substitution is enabled. CVE-2021-45046 addresses an incomplete fix in Log4j version 2.15.0. CVE-2021-4104 is a Remote Code Execution vulnerability by JMSAppender in Log4j version 1.x in non-default configurations. CVE-2021-45105 is a Denial-of-Service vulnerability by uncontrolled recursion from self-referential lookups in Log4j2 in a non-default Pattern Layout with a Context Lookup.
Security Advisory 0069
October 19th, 2021
The CVE-ID tracking this issue: CVE-2021-28496
CVSSv3.1 Base Score: 5.7( CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)