10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.976 High
EPSS
Percentile
100.0%
Revision | Date | Changes |
---|---|---|
1.6 | May 20th, 2022 | Update CVEs affected release info |
1.5 | January 4th, 2022 | Add information about CVE-2021-44832 |
1.4 | December 21st, 2021 | Add information about CVE-2021-45105 |
1.3 | December 17th, 2021 | Add information about CVE-2021-4104 |
1.2 | December 16th, 2021 | Add patch link and more vulnerability details |
1.1 | December 13th, 2021 | Update on affected products and versions |
1.0 | December 12th, 2021 | Initial release |
Arista Networks is providing this security update in response to the following related security vulnerabilities:
Out of all the vulnerabilities, only CVE-2021-44228 and CVE-2021-4104 affect some of Arista’s products as listed below.
Arista Engineering and Security teams have deployed fixes to all affected cloud services and are actively developing patches to remaining affected products, and will continue to update this advisory when more information is available.
The following products are affected by CVE-2021-44228:
(*) The affected products use Log4j 2.x indirectly through Elasticsearch and/or Logstash and are vulnerable to CVE-2021-44228. Based on Arista’s analysis of the use of these modules and information provided by Elastic, we believe there is no vulnerability of Remote Code Execution. There is a possibility of Information Leak and/or Denial-of-Service and we recommend the mitigations be implemented.
The following products are affected by CVE-2021-4104:
The following cloud services were affected and patches have been deployed:
The following products are NOT affected:
The following document describes detailed steps to patch and mitigate all vulnerabilities on affected products (login required).
If you require further assistance, or if you have any further questions regarding this security notice, please contact the Arista Networks Technical Assistance Center (TAC) by one of the following methods:
Please visit Customer Support for up to date information on how to open a service request via email or telephone.
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.976 High
EPSS
Percentile
100.0%