Cisco Blogs

Cisco Blog > Security

Improvements to Cisco’s Security Vulnerability Disclosures

Cisco is committed to protecting customers by sharing critical security-related information in different formats. Guided by customer feedback, Cisco’s Product Security Incident Response Team (PSIRT) is seeking ways to improve how we communicate information about Cisco product vulnerabilities to our Customers and Partners.  As John Stewart mentioned on his blog post, the Cisco PSIRT has launched a new and improved security vulnerability disclosure format. The new Cisco Security Advisories can be accessed at and at

The intent is to make it easier for Customers and Partners to access information about all security vulnerabilities in Cisco products. Each vulnerability disclosed through our new security advisories are assigned a Common Vulnerability and Exposures (CVE) identifier to aid in identification. Additionally, Cisco will continue to assess all vulnerabilities using the Common Vulnerability Scoring System (CVSS). Check out the sites for CVE, CVSS, and this CVSS scoring calculator if these terms are relatively new to you or you simply need a refresher.

Read More »

Tags: , , , , , , , , ,

Cisco Active Advisor – Network Maintenance and Improvement Made Easy

Who doesn’t enjoy a vacation? And not just one day, but – four!

What if there were a cloud service that saved you so much time, you could actually send all of London’s working population on a 4-day vacation?

Well, that’s exactly what Cisco Active Advisor does – save you time and money so you can do just that! Read Pradeep’s post to find out how – Introducing Cisco Active Advisor – A Free Cisco Tool for Your Network.

But more on that later… Read More »

Tags: , , , , , , , , ,

Announcing the Cisco IOS Software Security Advisory Bundled Publication

Today, we released the final Cisco IOS Software Security Advisory Bundled Publication of 2014. Six years ago, Cisco committed to disclosing IOS vulnerabilities on a predictable schedule (on the fourth Wednesday of March and September each calendar year) in direct response to your feedback. We know this timeline allows your organization to plan and help ensure resources are available to analyze, test, and remediate vulnerabilities in your environments.

Today’s edition of the Cisco IOS Software Security Advisory Bundled Publication includes six advisories that affect the following technologies:

  • Resource Reservation Protocol (RSVP)
  • Metadata
  • Multicast Domain Name System (mDNS)
  • Session Initiation Protocol (SIP)
  • DHCP version 6 (DHCPv6)
  • Network Address Translation (NAT)

Read More »

Tags: , , , , , ,

New Standards May Reduce Heartburn Caused by the Next Heartbleed

Ed Paradise, Vice President of Engineering for Cisco’s Threat Response, Intelligence and Development Group

Much has been made of the industry-wide Heartbleed vulnerability and its potential exploitation. Cisco was among the first companies to release a customer Security Advisory when the vulnerability became public, and is now one of many offering mitigation advice.

Those dealing with this issue on a day-to-day basis know it’s not enough to just patch the OpenSSL software library. Organizations also need to revoke and reissue digital certificates for their Heartbleed-vulnerable sites. If your certificates were stored in a Trust Anchor Module (TAM), they are still safe. Otherwise, a few additional steps should be taken to ensure you and your customers are secure:
Read More »

Tags: , , , , ,

Heartbleed: Transparency for our Customers

We know that communicating quickly and openly about security vulnerabilities can result in a little extra public attention for Cisco. As a trustworthy vendor, this is something we’re happy to accept.

It’s recently been said that there is only one thing being discussed by IT security people right now – the OpenSSL heartbeat extension vulnerability (aka Heartbleed). As the guy responding to related media questions for Cisco, that certainly rings true.

This is an industry-wide issue affecting commonly-used, open source encryption software. Some of my colleagues recommended this blog or this blog for an overview of the topic.

Cisco was one of the first to provide a comprehensive update for our customers (April 9): OpenSSL Heartbeat Extension Vulnerability in Multiple Cisco Products. This advisory continues to be updated, and at the time of this posting was on its fourth version. It provides an overview of the topic, and a full list of the Cisco products confirmed as affected, remediated, or not affected. It also links to more information, including any available workarounds or free software updates.

Our customers can rely on the fact that our response will be managed according to our long-standing security disclosure policy. This means providing the best information we have, as quickly as possible, even if that information could be incomplete at the time. As we continue to make progress, we will continue to update our public-facing information.

To our customers: we recommend staying connected to this information, and consider any implications for your network.

Tags: , , ,