CVE-2016-9012 Arista CVE debrief

Who should care

Arista CloudVision Portal administrators, network operations teams, and security teams responsible for managing or monitoring CVP management-plane access.

Technical summary

The NVD record classifies this issue as CVSS 3.0 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) with CWE-264. The problem is an access-control failure affecting the management plane: a remote authenticated user can reach internal configuration mechanisms via a request tied to /web/system/console/bundle. The published version cutoff indicates remediation at 2016.1.2.1 or later.

Defensive priority

High. The attack requires authentication, but the potential impact is broad and severe across confidentiality, integrity, and availability.

Recommended defensive actions

• Upgrade Arista CloudVision Portal to version 2016.1.2.1 or later.
• Confirm no CVP instances remain on versions earlier than 2016.1.2.1; the NVD CPE range indicates exposure through 2016.1.2.0.
• Review authentication and authorization controls around the management plane and internal configuration features.
• Audit logs for access to /web/system/console/bundle and related management-plane activity.
• Limit CVP access to trusted administrative networks and monitor for unusual authenticated session behavior.

Evidence notes

This debrief is based only on the supplied official records and linked references. The CVE description states that CVP before 2016.1.2.1 allows remote authenticated users to gain access to internal configuration mechanisms via the management plane, related to a request to /web/system/console/bundle. The NVD record lists the affected Arista CloudVision Portal CPE as vulnerable through 2016.1.2.0 and assigns CVSS 3.0 8.8 with CWE-264. Official references provided in the source set include the CVE record, NVD detail, and Arista vendor advisory.

Official resources