Cisco Blogs


Cisco Blog > Security

OpenSSL Heartbleed vulnerability CVE-2014-0160 – Cisco products and mitigations

*** UPDATED 15-April 2014  ***

By now, almost everyone has heard of the OpenSSL Heartbleed vulnerability with CVE id CVE-2014-0160. The vulnerability has to do with the implementation of the TLS heartbeat extension (RFC6520) and could allow secret key or private information leakage in TLS encrypted communications. For more detailed information, visit the VRT’s analysis.

Cisco maintains an Cisco Event Response Page with details and network mitigations about the vulnerability

Read More »

Tags: , , , ,

A Bundle is Born

Today, we released the first Cisco IOS Software Security Advisory Bundled Publication of 2014. Six years ago, Cisco committed to disclosing IOS vulnerabilities on a predictable schedule (on the fourth Wednesday of March and September each calendar year) in direct response to your feedback. We know this timeline allows your organization to plan ahead and ensure resources are available to analyze, test, and remediate vulnerabilities in your environments.

Today’s edition of the Cisco IOS Software Security Advisory Bundled Publication includes six advisories that affect the following technologies:

  • Session Initiation Protocol
  • Network Address Translation
  • Internet Key Exchange Version 2
  • IPv6
  • SSL VPN
  • Cisco 7600 RSP720 with 10GE Uplinks

Read More »

Tags: , , , ,

T-7: The Bundle Countdown Begins…

It’s that time of year again—the Cisco IOS Software Security Advisory Bundled Publication will go live in seven days. As a reminder, the Cisco Product Security Incident Response Team (PSIRT) releases bundles of Cisco IOS Software Security Advisories on the fourth Wednesday of March and September each calendar year. As is the case with the vast majority of our advisories, vulnerabilities scheduled for disclosure in these upcoming Security Advisories will normally have a Common Vulnerability Scoring System (CVSS) Base Score from 7.0 to 10.0.

To ensure you’re prepared for the upcoming publication, consider:

  • Creating a text file of all the Cisco IOS Software releases in your network
  • Assembling a simple list of Cisco IOS Software technologies and features you use
  • Noting your Cisco.com username and password
  • Locating the username and password for your Cisco IOS routers and switches
  • Ensuring network operation partners are prepared for the security advisory release
  • Reviewing the benefits of OVAL and CVRF content

Read More »

Tags: , , , ,

A Culture of Transparency

Many Cisco customers with an interest in product security are aware of our security advisories and other publications issued by our Product Security Incident Response Team (PSIRT). That awareness is probably more acute than usual following the recent Cisco IOS Software Security Advisory Bundled Publication on September 25. But many may not be aware of the reasoning behind why, when, and how Cisco airs its “dirty laundry.”

Our primary reason for disclosing vulnerabilities is to ensure customers are able to accurately assess, mitigate, and remediate the risk our vulnerabilities may pose to the security of their networks.

In order to deliver on that promise, Cisco has has made some fundamental and formative decisions that we’ve carried forward since our first security advisory in June 1995.

Read More »

Tags: , , , , , ,

It’s Back – It’s Cisco IOS Software Security Advisory Bundle Time Again

Today, we released the final Cisco IOS Software Security Advisory Bundled Publication of 2013. We committed to these predictable disclosures back in 2008 because your feedback was clear—they allow you to plan ahead and ensure resources are available to analyze, test, and remediate vulnerabilities in your environments. (For more information on the history of this evolution, take a look at my colleague John Stuppi’s post this past March.) If you haven’t had the opportunity to review my earlier posts on preparing for bundled disclosures or leveraging the Cisco IOS Software Checker tool, I’d encourage you to do so now. Hopefully, the guidance will help lessen the impact of evaluating the recently published Cisco Security Advisories. Read More »

Tags: , , , ,