Avatar

Today, we released the first ever Cisco IOS Software and IOS XE Software Security Advisory Bundled Publication. As a reminder, Cisco discloses IOS vulnerabilities on a predictable schedule (on the fourth Wednesday of March and September each calendar year). In direct response to your feedback, we have also included a Cisco Security Advisory addressing vulnerabilities in Cisco IOS XE Software in this publication. We hope this timeline and additional “bundling” continues to allow your organization to plan and ensure resources are available to analyze, test, and remediate vulnerabilities in your environments.

Today’s edition of the Cisco IOS Software Security Advisory Bundled Publication includes seven advisories that affect the following technologies:

  • Autonomic Network Infrastructure (ANI)
  • Common Industrial Protocol (CIP)
  • Multicast Domain Name System (mDNS)
  • TCP
  • Virtual Routing and Forwarding (VRF)
  • Internet Key Exchange Version 2 (IKEv2)
  • Cisco IOS XE Software

Before the September 2014 bundle, we announced exciting enhancements to the Cisco IOS Software Checker. As my colleague Kevin Saling shared, the tool is now capable of displaying first-fixed software release data based on the combination of Cisco IOS Software releases and Cisco Security Advisories selected. Users can now quickly identify the first release that addresses all vulnerabilities disclosed in the selected advisories. I’m sure everyone recalls lengthy fixed software tables with hundreds of rows of data in Cisco IOS Software advisories—these static tables were replaced with a direct link to the Cisco IOS Software Checker. As you shared in direct feedback, the tables posed a number of problems, most notably that they displayed point-in-time data and were not updated to reflect new releases. The Cisco IOS Software Checker is updated daily to include the most up-to-date information on recent Cisco IOS Software releases– and you’ve reported that this is far superior to the point-in-time data included in the old tables. Please take an opportunity to query the enhanced tool now! In the meantime, check the table below for a quick status update on some major Cisco IOS Software trains:

Major Cisco IOS Software Train March 2015 IOS Bundle Status
12.2SXJ Vulnerable
15.0SY Vulnerable
15.1M Vulnerable
15.2M Vulnerable
15.2E Vulnerable
15.3M Vulnerable
15.3S Vulnerable
15.4S Vulnerable

Keep in mind that the Cisco IOS Software Checker does not support Cisco IOS XE Software; please consult each Cisco Security Advisory for vulnerability status. It’s simple to navigate to all this content via our Cisco Event Response—our go-to document that correlates the full array of Cisco Security resources for this bundle (including links to the advisories, mitigations, Cisco IntelliShield Alerts, CVSS scores, and OVAL content). As the project manager who oversees the management and delivery of these bundled disclosures, I’m always impressed at the level of effort and collaboration involved. A dedicated team of incident managers, a variety of partner organizations, special tooling, months of preparation, thousands of communications—these all come together on the fourth Wednesday of March and September.

The next Cisco IOS Software Security Advisory Bundled Publication is scheduled for September 23, 2015. Mark your calendars now. And don’t forget—for all things security, visit the Cisco Security Portal, the primary outlet for Cisco’s security intelligence and the public home to all our security-related content.



Authors

Erin Float

Project Manager

Security Research and Operations Group