As previously discussed here on the Cisco Security blog, the Cisco Product Security Incident Response Team (PSIRT) follows a twice-per-year schedule for disclosing high-severity security vulnerabilities in Cisco IOS Software. The next Cisco IOS Software Security Advisory Bundle will be released on the 26th of September at 16:00 GMT. Our Security Vulnerability Policy describes the schedule best:
In direct response to customer feedback, Cisco releases bundles of Cisco IOS Software Security Advisories on the fourth Wednesday 16:00 GMT of the month in March and September of each calendar year. This schedule applies to the disclosure of Cisco IOS Software vulnerabilities and does not apply to the disclosure of vulnerabilities in other Cisco products.
We offer several convenient and timely ways to learn of new
Cisco Security Advisories and Cisco Security Advisory Bundles.
- Cisco Security Advisory Listing Page: Every Cisco Security Advisory is listed on the Cisco Security Intelligence Operations (SIO) Portal on the advisory listing page. The advisory listing page also displays linked content types. Viewing linked content is as easy as clicking on the icons in the Additional Information column. Icons exist for Applied Mitigation Bulletins (), Intrusion Prevention System Signatures (), IntelliShield Security Alerts (), Event Response Pages (), and Cisco Security Blog entries ().
- Cisco Security Advisory RSS Feed: The Cisco SIO Portal offers an RSS feed through which Security Advisory information is published. This RSS feed is available at http://tools.cisco.com/security/center/psirtrss20/CiscoSecurityAdvisory.xml.
- Event Response Pages: Cisco SIO produces an Event Response Page (ERP) for every Cisco Security Advisory Bundle, monthly Microsoft Security Advisory announcement, and other high-impact security events such as the recent Oracle Java vulnerabilities. These ERPs are listed on the Cisco SIO Portal on a dedicated ERP listing page and published via an RSS feed.
- Security Advisory Announcement Email List: Our PSIRT team also publishes information about released advisories to the Customer Security Announce email list. This list is maintained by Cisco and open to the public. Information about subscribing to this list is available in the Receiving Security Vulnerability Information from Cisco section of our Security Vulnerability Policy.
Regardless of which of the above tools you use to stay up-to-date with advisories as they’re released, and it is strongly recommended that you use one or more of them, you can always find all of the relevant security information by visiting the Cisco SIO Portal at http://cisco.com/security.
After the security advisories are published on the 26th, the Cisco IOS Software Checker can be used to help you determine whether or not the Cisco IOS Software versions in use in your network are vulnerable to the newly disclosed vulnerabilities. Until then, any time spent understanding the IOS versions and configurations deployed in your network is time very well spent.
On September 26th we will also be making a separate but very relevant announcement. I won’t steal the thunder of my friend Omar Santos, but let it suffice to say that that announcement will demonstrate Cisco’s continued commitment to machine readable security content and the work Omar, Mike Schiffman, and others have been doing within Cisco and in various industry forums. Be sure to check back here on 9/26!