CVE-2021-28505: On affected Arista EOS platforms, if a VXLAN match rule exists in an IPv4 access-list that is applied to the ingress of an L2 or an L3 port/SVI, the VXLAN rule and subsequent ACL rules in that access list will ignore the specified IP protocol.
First published: Tue Mar 29 2022(Updated: )
On affected Arista EOS platforms, if a VXLAN match rule exists in an IPv4 access-list that is applied to the ingress of an L2 or an L3 port/SVI, the VXLAN rule and subsequent ACL rules in that access list will ignore the specified IP protocol.
Credit: psirt@arista.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Arista EOS | >=4.26<4.26.4m | |
| Arista EOS | >=4.27<4.27.1f | |
| Arista Ccs-710p-12 | ||
| Arista Ccs-710p-16p | ||
| Arista Ccs-720xp-24y6 | ||
| Arista Ccs-720xp-24zy4 | ||
| Arista Ccs-720xp-48y6 | ||
| Arista Ccs-720xp-48zc2 | ||
| Arista Ccs-720xp-96zc2 | ||
| Arista Ccs-722xpm-48y4 | ||
| Arista Ccs-722xpm-48zy8 | ||
| Arista Dcs-7010tx-48 | ||
| Arista Dcs-7050cx3-32s | ||
| Arista Dcs-7050cx3m-32s | ||
| Arista Dcs-7050sx3-48c8 | ||
| Arista Dcs-7050sx3-48yc12 | ||
| Arista Dcs-7050sx3-48yc8 | ||
| Arista Dcs-7050sx3-96yc8 | ||
| Arista Dcs-7050tx3-48c8 |
Remedy
The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Artista recommends customers move to the latest version of each release that contains all the fixes listed below. CVE-2021-28505 has been fixed in the following releases: 4.26.4M and later releases in the 4.26.x train 4.27.1F and later releases in the 4.27.x train
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this Arista EOS vulnerability?
The vulnerability ID is CVE-2021-28505.
What is the severity of CVE-2021-28505?
The severity of CVE-2021-28505 is high with a CVSS score of 7.5.
Which Arista EOS platforms are affected by CVE-2021-28505?
Arista EOS platforms with versions between 4.26 and 4.26.4m, and between 4.27 and 4.27.1f are affected.
What is the impact of CVE-2021-28505?
The impact of CVE-2021-28505 is that the VXLAN rule and subsequent ACL rules in the affected access list will ignore the specified IP protocol.
Is there a fix available for CVE-2021-28505?
Yes, Arista has provided a fix for CVE-2021-28505. Please refer to the Arista Security Advisory for more information.
- collector/nvd-index
- agent/weakness
- agent/softwarecombine
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/title
- agent/author
- agent/last-modified-date
- agent/remedy
- agent/references
- agent/tags
- agent/description
- agent/first-publish-date
- agent/event
- vendor/arista
- canonical/arista eos
- version/arista eos/4.26
- version/arista eos/4.27
- canonical/arista ccs-710p-12
- canonical/arista ccs-710p-16p
- canonical/arista ccs-720xp-24y6
- canonical/arista ccs-720xp-24zy4
- canonical/arista ccs-720xp-48y6
- canonical/arista ccs-720xp-48zc2
- canonical/arista ccs-720xp-96zc2
- canonical/arista ccs-722xpm-48y4
- canonical/arista ccs-722xpm-48zy8
- canonical/arista dcs-7010tx-48
- canonical/arista dcs-7050cx3-32s
- canonical/arista dcs-7050cx3m-32s
- canonical/arista dcs-7050sx3-48c8
- canonical/arista dcs-7050sx3-48yc12
- canonical/arista dcs-7050sx3-48yc8
- canonical/arista dcs-7050sx3-96yc8
- canonical/arista dcs-7050tx3-48c8