CVE-2021-28505
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Summary
On affected Arista EOS platforms, if a VXLAN match rule exists in an IPv4 access-list that is applied to the ingress of an L2 or an L3 port/SVI, the VXLAN rule and subsequent ACL rules in that access list will ignore the specified IP protocol.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Arista Networks | EOS | 4.26.3M <= 4.26.0 | affected |
| Arista Networks | EOS | 4.27.0F <= 4.27.0 | affected |
Weaknesses
- CWE-284: CWE-284 Improper Access Control
Workarounds
Replace "vxlan" IP protocol match with match on IP protocol "udp" and Layer 4 destination port for VxLAN encapsulated packets i.e 4789. < br/> If VXLAN L4 destination port number is not the default 4789 then use the configured L4 destination port number.
ADP Enrichment
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.