Arista patches CloudVision vulnerability
Arista has discovered an access control bug affecting some versions of its CloudVision Portal product.
The vulnerability, CVE-2023-24546, affects eight versions of CloudVision Portal when run on-premises.
As well as instances of the portal, the vulnerability is inherited by the CloudVision physical appliance or virtual appliance.
The vulnerability is caused by improper access controls on the connection between CloudVision and appliances.
“A malicious actor with network access to CloudVision” could gain “broader access to telemetry and configuration data within the system,” the company said in an advisory.
Different configurations have different severity ratings but the highest has a CVSS of 10.0.
In the 2021.1 and 2021.2 releases, the bug rates 7.6.
In the 2021.3 train, and 2022.1.0, 2022.1.1, 2022.2.0, 2022.2.1 and 2022.3.0 releases, a further bug would give an attacker “write access to additional parts of the CloudVision database”, elevating the severity to 9.9.
“For clusters that were first deployed with the 2022.2.0 or 2022.2.1 releases, the CVSS score is 10.0,” the advisory states, again because of another bug.
Users need to upgrade to 2022.1.2, 2022.2.2, or 2022.3.1 since there is no workaround, and there are no indicators of compromise.
The bug does not impact CloudVision as-a-service.