Cisco Logo


Security

Today we announced the September 2009 bundle of Cisco IOS Software Security Advisories. In line with our previous announcements, this grouping of advisories discloses security vulnerabilities in Cisco IOS Software.

Information on the vulnerabilities disclosed today can be found at the Cisco Security Advisory listing page. Additionally, we create an Event Response Page (ERP) for our advisory bundles as we’ve done for Microsoft vulnerabilities since June 2007. These Event Response Pages are designed to be a starting point for your vulnerability triage needs. The pages contain links to important documents as well as the assigned CVEs and CVSS scores. The ERP for the IOS vulnerabilities disclosed today can be found over at our Security Intelligence Operations portal.

The bundling concept was implemented in response to feedback that the lack of an announced schedule for Cisco IOS Software vulnerability disclosure was not allowing customers to appropriately plan for and integrate security advisories into their management processes. As a general rule, our advisory bundle timelines are limited to Cisco IOS Software and do not include any other Cisco products or operating systems. However, if the same vulnerability exists in Cisco IOS Software and another product—for example Cisco IOS-XE or Unified Communications Manager—we will work to release the corresponding advisories simultaneously. In fact, this was done today and in September 2008 when we disclosed SIP-related vulnerabilities that affected both Cisco Unified Communication Manager and Cisco IOS Software.

It is also worth noting that we may release out-of-cycle advisories as needed to reduce your risk to vulnerabilities in Cisco IOS Software. As I’ve discussed before, this flexibility is exercised with your needs in mind, and I believe it’s a good thing.

Although it is becoming less common now that people are more familiar with Cisco’s security advisory bundling—as this is our fourth official Cisco IOS Software Security Advisory bundle—we often receive a similar set of questions from folks in the field. Here are a few of those questions, with answers, in case you are wondering about any of them yourself.

Once you have an understanding of advisory bundling, it is important that you take advantage of the scheduled dates to plan security and software deployment work appropriately. For example and ignoring all other factors, it is best to avoid performing Cisco IOS Software planning or deployments during the weeks leading up to a bundle announcement date. Time and money spent to deploy an IOS image in early March or September may very well be lost only to find on the fourth Wednesday that the deployed image contains one or more security vulnerabilities.

There are several resources that can help you learn of new advisories when they are released. This includes the Cisco Security Intelligence Operations portal and the security advisory listing page at http://www.cisco.com/go/psirt as well as more proactive services such as the PSIRT RSS feeds, the Cisco Notification Service, and the Customer Security Announce mailing list.

The next Cisco IOS Software Security Advisory bundle will be released on the 24th of March 2010. Mark your calendar!

Comments Are Closed

  1. Return to Countries/Regions
  2. Return to Home
  1. All Security
  2. All Security
  3. Return to Home