The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see EOS User Manual: Upgrades and Downgrades https://www.arista.com/en/um-eos/eos-upgrades-and-downgrades CVE-2025-5088 has been fixed in the following releases: * 4.34.2F and later releases in the 4.34.x train * 4.33.5M and later releases in the 4.33.x train * 4.32.7M and later releases in the 4.32.x train * 4.31.9M and later releases in the 4.31.x train

In order to be vulnerable to CVE-2025-5088, the following condition must be met: MCS Service must be configured: cvx1#show cvx service mcs Mcs Status: Enabled Supported versions: 1 Switch Status Negotiated Version ------ ------- ------------------ <Switch1> Enabled 1 cvx1#show running-config section mcs cvx service mcs redis password 7 03054902151B20 no shutdown If MCS Service is not configured there is no exposure to this issue and the message will look like: cvx1#show cvx service mcs Mcs Status: Disabled Supported versions: 1 Switch Status Negotiated Version ------ -------- ------------------ <Switch1> Disabled

To run the redis-server as a dedicated "redis" user and group on the CVX server, follow these steps, ensuring all changes are applied correctly and the service restarts smoothly. This approach enhances security by isolating the Redis process with its own user and group permissions. Please ensure that these mitigation steps are tested thoroughly in a non-production environment prior to production deployment. Log in to the CVX Server Access your CVX server (e.g. using SSH) using the appropriate credentials. This is the initial point of access for all subsequent configuration changes. Stop Redis Before Applying Changes It is crucial to stop Redis to prevent data corruption or conflicts while modifying its configuration. This is achieved by unconfiguring the Redis password on the MCS service. Executing no redis password stops the Redis service by removing its authentication credentials, which prevents it from running. cvx>enable cvx#config cvx(config)#cvx cvx(config-cvx)#service mcs cvx(config-cvx-mcs)#no redis password cvx(config-cvx-mcs)# Edit the redis.service Systemd Service File This step involves modifying the systemd service file for Redis to specify the dedicated user and group under which Redis will run. First, transition to bash mode from the CVX configuration prompt: cvx(config-cvx-mcs)#bash Once in bash, use sudo nano to edit the redis.service file: [cvx ~]$sudo nano /etc/systemd/system/redis.service Add 'User' and 'Group' Directives to the [Service] Section Within the redis.service file, locate the [Service] section and add the following lines: [Service] User=redis Group=redis This modification ensures that when the redis-server starts, it will execute under the context of the redis user and redis group, thereby enforcing stricter access controls and enhancing system security. Save and exit the editor. Change Ownership of the Redis Log File To ensure the redis user has appropriate write permissions for its log file, change the ownership of /var/log/redis/redis.log to the redis user and group. [cvx ~]$sudo chown redis:redis /var/log/redis/redis.log This step is required for the Redis server to be able to write logs once it restarts under the new user and group. Restart the Redis with New Changes After making all necessary modifications, restart the Redis to apply the new configuration. This is done by reconfiguring the Redis password, which will bring the service back online. First, exit bash mode: [cvx ~]$exit Then, reconfigure the Redis password: cvx(config-cvx-mcs)#redis password <secret> Replace <secret> with your actual Redis password. This action will re-enable the Redis, and it will now run with the specified redis user and redis group. NOTE: Following a CVX server reload or power cycle, all previously mentioned steps must be repeated.