Avatar

Today, we released the final Cisco IOS Software Security Advisory Bundled Publication of 2014. Six years ago, Cisco committed to disclosing IOS vulnerabilities on a predictable schedule (on the fourth Wednesday of March and September each calendar year) in direct response to your feedback. We know this timeline allows your organization to plan and help ensure resources are available to analyze, test, and remediate vulnerabilities in your environments.

Today’s edition of the Cisco IOS Software Security Advisory Bundled Publication includes six advisories that affect the following technologies:

  • Resource Reservation Protocol (RSVP)
  • Metadata
  • Multicast Domain Name System (mDNS)
  • Session Initiation Protocol (SIP)
  • DHCP version 6 (DHCPv6)
  • Network Address Translation (NAT)

Last week, we were thrilled to announce the first in a series of enhancements to the Cisco IOS Software Checker tool. As my colleague Kevin Saling shared, a key addition to the tool is the ability to display the first-fixed software release based on the combination of Cisco IOS Software releases and Cisco Security Advisories selected by the user. Users can now quickly identify the first release that addresses all vulnerabilities disclosed in the selected advisories.

Many of you recall lengthy IOS fixed software tables with hundreds of rows of data—these static tables have now been replaced with a direct link to the Cisco IOS Software Checker. As you shared in direct feedback, the tables posed a number of problems, most notably that they displayed point-in-time data and were not updated to reflect new releases. The data in Cisco IOS Software Checker is updated daily to include the most up-to-date information on recent Cisco IOS Software releases. Please take an opportunity to query the enhanced tool now.

Make sure you also take a look at the Cisco Event Response—our go-to document that correlates the full array of Cisco Security resources for this bundle (including links to the advisories, mitigations, Cisco IntelliShield Alerts, CVSS scores, and OVAL content). As the project manager who oversees the management and delivery of these bundled disclosures, I’m always impressed at the level of effort and collaboration involved. A dedicated team of incident managers, a variety of partner organizations, special tooling, months of preparation, thousands of communications—these all come together on the fourth Wednesday of March and September.

The next Cisco IOS Software Security Advisory Bundled Publication is scheduled for March 25, 2015. Mark your calendars now. And don’t forget—for all things security, visit the Cisco Security portal, the primary outlet for Cisco’s security intelligence and the public home to all our security-related content.



Authors

Erin Float

Project Manager

Security Research and Operations Group