Arista patches CloudVision vulnerability

Arista
has
discovered
an
access
control
bug
affecting
some
versions
of
its
CloudVision
Portal
product.

The
vulnerability,

CVE-2023-24546,
affects
eight
versions
of
CloudVision
Portal
when
run
on-premises.

As
well
as
instances
of
the
portal,
the
vulnerability
is
inherited
by
the
CloudVision
physical
appliance
or
virtual
appliance.

The
vulnerability
is
caused
by
improper
access
controls
on
the
connection
between
CloudVision
and
appliances.

“A
malicious
actor
with
network
access
to
CloudVision”
could
gain
“broader
access
to
telemetry
and
configuration
data
within
the
system,”
the
company
said
in
an
advisory.

Different
configurations
have
different
severity
ratings
but
the
highest
has
a
CVSS
of
10.0.
In
the
2021.1
and
2021.2
releases,
the
bug
rates
7.6.

In
the
2021.3
train,
and
2022.1.0,
2022.1.1,
2022.2.0,
2022.2.1
and
2022.3.0
releases,
a
further
bug
would
give
an
attacker
“write
access
to
additional
parts
of
the
CloudVision
database”,
elevating
the
severity
to
9.9.

“For
clusters
that
were
first
deployed
with
the
2022.2.0
or
2022.2.1
releases,
the
CVSS
score
is
10.0,”
the
advisory
states,
again
because
of
another
bug.

Users
need
to
upgrade
to
2022.1.2,
2022.2.2,
or
2022.3.1
since
there
is
no
workaround,
and
there
are
no
indicators
of
compromise.

The
bug
does
not
impact
CloudVision
as-a-service.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts