First published: Tue Aug 29 2023(Updated: )
On affected platforms running Arista EOS with mirroring to multiple destinations configured, an internal system error may trigger a kernel panic and cause system reload.
Credit: psirt@arista.com psirt@arista.com
Affected Software | Affected Version | How to fix |
---|---|---|
Arista EOS | >=4.28.2f<=4.28.5.1m | |
Arista EOS | >=4.29.0<4.29.2f | |
Arista 7280cr3-32d4 | ||
Arista 7280cr3-32p4 | ||
Arista 7280cr3-36s | ||
Arista 7280cr3-96 | ||
Arista 7280cr3a-24d12 | ||
Arista 7280cr3a-48d6 | ||
Arista 7280cr3a-72 | ||
Arista 7280dr3-24 | ||
Arista 7280dr3a-36 | ||
Arista 7280dr3a-54 | ||
Arista 7280dr3ak-36 | ||
Arista 7280dr3ak-54 | ||
Arista 7280dr3am-36 | ||
Arista 7280dr3am-54 | ||
Arista 7280pr3-24 | ||
Arista 7280r3 | ||
Arista 7280sr3-40yc6 | ||
Arista 7280sr3-48yc8 | ||
Arista 7280tr3-40c6 | ||
Arista 7289r3a-sc | ||
Arista 7289r3ak-sc | ||
Arista 7289r3am-sc | ||
Arista 7500r3-24d | ||
Arista 7500r3-24p | ||
Arista 7500r3-36cq | ||
Arista 7500r3k-36cq | ||
Arista 7500r3k-48y4d | ||
Arista 7504r3 | ||
Arista 7508r3 | ||
Arista 7512r3 | ||
Arista 7800r3-36d | ||
Arista 7800r3-36p | ||
Arista 7800r3-48cq | ||
Arista 7800r3a-36d | ||
Arista 7800r3a-36dm | ||
Arista 7800r3a-36p | ||
Arista 7800r3a-36pm | ||
Arista 7800r3ak-36dm | ||
Arista 7800r3ak-36pm | ||
Arista 7800r3k-36dm | ||
Arista 7800r3k-48cq | ||
Arista 7800r3k-48cqms | ||
Arista 7800r3k-72y7512r3 | ||
Arista 7808r3 | ||
Arista 7812r3 | ||
Arista 7816r3 |
The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see EOS User Manual: Upgrades and Downgrades https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades CVE-2023-3646 has been fixed in the following releases: * 4.28.6M and later releases in the 4.28.x train * 4.29.2F and later releases in the 4.29.x train
HotfixThe following hotfix can be applied to remediate CVE-2023-3646. The hotfix only applies to the releases listed below and no other releases. All other versions require upgrading to a release containing the fix (as listed above): * 4.28.2F through 4.28.5.1M releases in the 4.28.x train * 4.29.1F and earlier releases in the 4.29.X train Note: Installing/uninstalling the Hotfix will result in a restart of the SandFapNi agent and an associated reprogramming of the switch chip. This process could result in outages from 5-20 minutes, depending on the number of active ports in the particular system. To determine which hotfix to use, run “show version” from the CLI and refer to the “Architecture” Field. Version: 1.0 URL: SecurityAdvisory88_CVE-2023-3646_Hotfix_i686.swix https://www.arista.com/support/advisories-notices/sa-download/ SWIX hash:(SHA-512) 9c01d1bc1d657879e1a1b657a8c0dab090d589efc3f2c64e9cac1ae0356fce14496809893bffb0892b1505f8b4ee25cad0064bd7315ba6737dc5fdb200539f1a URL: SecurityAdvisory88_CVE-2023-3646_Hotfix_x86_64.swix https://www.arista.com/support/advisories-notices/sa-download/ SWIX hash:(SHA512) 98e98c2c34f81df4da3e4068ac9a81191f4c6ef1acab884972d092c79a7495e00d9a25c8713620d3e25b4699f777810a627634eb8078dcbbb19317ed27a9b0d5 For instructions on installation and verification of the hotfix patch, refer to the “managing eos extensions” https://www.arista.com/en/um-eos/eos-managing-eos-extensions section in the EOS User Manual. Ensure that the patch is made persistent across reboots by running the command ‘copy installed-extensions boot-extensions’.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this issue is CVE-2023-3646.
The severity of CVE-2023-3646 is high.
Platforms running Arista EOS with mirroring to multiple destinations configured are affected by CVE-2023-3646.
No, Arista 7280cr3-32d4 is not vulnerable to CVE-2023-3646.
Apply the necessary software update provided by Arista to fix CVE-2023-3646.