Today, we released the first Cisco IOS Software Security Advisory Bundled Publication of 2014. Six years ago, Cisco committed to disclosing IOS vulnerabilities on a predictable schedule (on the fourth Wednesday of March and September each calendar year) in direct response to your feedback. We know this timeline allows your organization to plan ahead and ensure resources are available to analyze, test, and remediate vulnerabilities in your environments.
Today’s edition of the Cisco IOS Software Security Advisory Bundled Publication includes six advisories that affect the following technologies:
- Session Initiation Protocol
- Network Address Translation
- Internet Key Exchange Version 2
- IPv6
- SSL VPN
- Cisco 7600 RSP720 with 10GE Uplinks
Make sure you take also take a look at the Cisco Event Response—our go-to document that correlates the full array of Cisco Security Intelligence Operations (SIO) resources for this bundle (including links to the advisories, mitigations, Cisco IntelliShield Alerts, CVSS scores, and OVAL content). As the project manager who oversees the management and delivery of these bundled disclosures, I’m always impressed at the level of effort and collaboration involved. A dedicated team of incident managers, a variety of partner organizations, special tooling, months of preparation, thousands of communications—these all come together on the fourth Wednesday of March and September.
The next Cisco IOS Software Security Advisory Bundled Publication is scheduled for September 24, 2014. Why don’t you mark your calendar now? And don’t forget—for all things security, visit the SIO portal, the primary outlet for Cisco’s security intelligence and the public home to all of our security-related content.
We found out about this policy of biannual disclosure of security updates a few years ago and we really like it. It helps us plan our IOS upgrades. However, it’s unfortunate that it does not extend to all of Cisco’s products. The “any given Wednesday” approach for all the rest of the Cisco products is a thorn in our patch management process – http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html#ds
Frequently we see vulnerabilities announced for IOS, and then a subset of the same vulnerabilities are announced for the ASA a month or so later. This seems to happen almost every time IOS vulnerabilities are announced. It’s unfortunate because it gives hackers a period of time in which they can attack the ASA before the updated code is available.
What progress can be made to align these vulnerability disclosures between IOS and ASA, and to set schedules for the vulnerability/patch disclosures in other Cisco products?
Hi Blake. Thanks for taking the time to comment; we’re pleased that your organization appreciates the semiannual disclosure schedule for Cisco IOS Software.
Although we don’t have scheduled dates for vulnerability disclosures in other software at this time, we make every effort to “bundle” together multiple Security Advisories when possible (for instance, with Cisco ASA Software, like you referenced). However, we want to be very clear that ASA vulnerability disclosures are absolutely not related to the semiannual IOS bundles. If we ever determine that ASA is affected by any of the vulnerabilities included in an IOS bundle, they will be disclosed on the same day.
Please feel free to review our public Security Vulnerability Policy (http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html), which contains detailed information about our disclosure practices.