Revision | Date | Changes |
---|---|---|
1.0 | April 3, 2024 | Initial release |
The CVE-ID tracking this issue: CVE-2024-3094
CVSSv3.1 Base Score: 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Arista Networks is providing this security update in response to the following related security vulnerability:
CVE-2024-3094: Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.
No Arista products are affected. Individual products are listed below.
This CVE only affects xz in version 5.6.0 and 5.6.1. No Arista products are using these versions.
The following product versions and platforms are NOT affected by this vulnerability:
Arista EOS-based products:
Arista Wireless Access Points
CloudVision CUE, virtual appliance or physical appliance
CloudVision CUE cloud service delivery
CloudVision eXchange, virtual or physical appliance
CloudVision Portal, virtual appliance or physical appliance
CloudVision as-a-Service
CloudVision AGNI
Arista 7130 Systems running MOS
Arista Converged Cloud Fabric and DANZ Monitoring Fabric (Formerly Big Switch Nodes for BCF and BMF)
Arista Network Detection and Response (NDR) Security Platform (Formerly Awake NDR)
Arista Edge Threat Management - Arista NG Firewall and Arista Micro Edge (Formerly Untangle)
Arista NetVisor OS, Arista NetVisor UNUM, and Insight Analytics (Formerly Pluribus)
If you require further assistance, or if you have any further questions regarding this security notice, please contact the Arista Networks Technical Assistance Center (TAC) by one of the following methods:
By email: This email address is being protected from spambots. You need JavaScript enabled to view it.
By telephone: 408-547-5502 ; 866-476-0000
Contact information needed to open a new service request may be found at: https://www.arista.com/en/support/customer-support