CVE-2021-28505

Summary

On affected Arista EOS platforms, if a VXLAN match rule exists in an IPv4 access-list that is applied to the ingress of an L2 or an L3 port/SVI, the VXLAN rule and subsequent ACL rules in that access list will ignore the specified IP protocol.

Affected Software

VendorProductVersion RangeStatus
Arista NetworksEOS4.26.3M <= 4.26.0affected
Arista NetworksEOS4.27.0F <= 4.27.0affected

Weaknesses

  • CWE-284: CWE-284 Improper Access Control

Workarounds

Replace "vxlan" IP protocol match with match on IP protocol "udp" and Layer 4 destination port for VxLAN encapsulated packets i.e 4789. < br/> If VXLAN L4 destination port number is not the default 4789 then use the configured L4 destination port number.

ADP Enrichment

CVE Program Container

Additional References

References