CVE-2020-11622

Name of the Vulnerable Software and Affected Versions Arista Cloud EOS VM / vEOS versions 4.23.2M and below Arista Cloud EOS VM / vEOS versions 4.22.4M and below Arista Cloud EOS VM / vEOS versions 4.21.3M through 4.21.9M Arista Cloud EOS VM / vEOS version 4.21.3FX-7368.* Arista Cloud EOS VM / vEOS version 4.21.4-FCRFX.* Arista Cloud EOS VM / vEOS version 4.21.4.1 Arista Cloud EOS VM / vEOS version 4.21.7.1 Arista Cloud EOS VM / vEOS version 4.22.2.0.1 Arista Cloud EOS VM / vEOS version 4.22.2.2.1 Arista Cloud EOS VM / vEOS version 4.22.3.1 Arista Cloud EOS VM / vEOS version 4.23.2.1

Description The issue exists in the CloudEOS VM / vEOS Router code when TCP MSS options are configured, potentially impacting traffic forwarding if a specific malformed TCP packet is delivered over the data plane. This vulnerability is specific to CloudEOS VM / vEOS Router software and does not affect EOS running on physical switches, routers, or other Arista products.

Recommendations For Arista Cloud EOS VM / vEOS versions 4.23.2M and below, update to a version above 4.23.2M. For Arista Cloud EOS VM / vEOS versions 4.22.4M and below, update to a version above 4.22.4M. For Arista Cloud EOS VM / vEOS versions 4.21.3M through 4.21.9M, update to a version outside this range. For Arista Cloud EOS VM / vEOS version 4.21.3FX-7368., update to a version that is not 4.21.3FX-7368.. For Arista Cloud EOS VM / vEOS version 4.21.4-FCRFX., update to a version that is not 4.21.4-FCRFX.. For Arista Cloud EOS VM / vEOS version 4.21.4.1, update to a version that is not 4.21.4.1. For Arista Cloud EOS VM / vEOS version 4.21.7.1, update to a version that is not 4.21.7.1. For Arista Cloud EOS VM / vEOS version 4.22.2.0.1, update to a version that is not 4.22.2.0.1. For Arista Cloud EOS VM / vEOS version 4.22.2.2.1, update to a version that is not 4.22.2.2.1. For Arista Cloud EOS VM / vEOS version 4.22.3.1, update to a version that is not 4.22.3.1. For Arista Cloud EOS VM / vEOS version 4.23.2.1, update to a version that is not 4.23.2.1. As a temporary workaround, consider disabling TCP MSS options in the affected Router code until a patch is available.