Today, we released the first ever Cisco IOS Software and IOS XE Software Security Advisory Bundled Publication. As a reminder, Cisco discloses IOS vulnerabilities on a predictable schedule (on the fourth Wednesday of March and September each calendar year). In direct response to your feedback, we have also included a Cisco Security Advisory addressing vulnerabilities in Cisco IOS XE Software in this publication. We hope this timeline and additional “bundling” continues to allow your organization to plan and ensure resources are available to analyze, test, and remediate vulnerabilities in your environments.
Today’s edition of the Cisco IOS Software Security Advisory Bundled Publication includes seven advisories that affect the following technologies:
- Autonomic Network Infrastructure (ANI)
- Common Industrial Protocol (CIP)
- Multicast Domain Name System (mDNS)
- TCP
- Virtual Routing and Forwarding (VRF)
- Internet Key Exchange Version 2 (IKEv2)
- Cisco IOS XE Software
Before the September 2014 bundle, we announced exciting enhancements to the Cisco IOS Software Checker. As my colleague Kevin Saling shared, the tool is now capable of displaying first-fixed software release data based on the combination of Cisco IOS Software releases and Cisco Security Advisories selected. Users can now quickly identify the first release that addresses all vulnerabilities disclosed in the selected advisories. I’m sure everyone recalls lengthy fixed software tables with hundreds of rows of data in Cisco IOS Software advisories—these static tables were replaced with a direct link to the Cisco IOS Software Checker. As you shared in direct feedback, the tables posed a number of problems, most notably that they displayed point-in-time data and were not updated to reflect new releases. The Cisco IOS Software Checker is updated daily to include the most up-to-date information on recent Cisco IOS Software releases– and you’ve reported that this is far superior to the point-in-time data included in the old tables. Please take an opportunity to query the enhanced tool now! In the meantime, check the table below for a quick status update on some major Cisco IOS Software trains:
| Major Cisco IOS Software Train | March 2015 IOS Bundle Status |
|---|---|
| 12.2SXJ | Vulnerable |
| 15.0SY | Vulnerable |
| 15.1M | Vulnerable |
| 15.2M | Vulnerable |
| 15.2E | Vulnerable |
| 15.3M | Vulnerable |
| 15.3S | Vulnerable |
| 15.4S | Vulnerable |
Keep in mind that the Cisco IOS Software Checker does not support Cisco IOS XE Software; please consult each Cisco Security Advisory for vulnerability status. It’s simple to navigate to all this content via our Cisco Event Response—our go-to document that correlates the full array of Cisco Security resources for this bundle (including links to the advisories, mitigations, Cisco IntelliShield Alerts, CVSS scores, and OVAL content). As the project manager who oversees the management and delivery of these bundled disclosures, I’m always impressed at the level of effort and collaboration involved. A dedicated team of incident managers, a variety of partner organizations, special tooling, months of preparation, thousands of communications—these all come together on the fourth Wednesday of March and September.
The next Cisco IOS Software Security Advisory Bundled Publication is scheduled for September 23, 2015. Mark your calendars now. And don’t forget—for all things security, visit the Cisco Security Portal, the primary outlet for Cisco’s security intelligence and the public home to all our security-related content.
Hi
I would like a tool on CCO where I can enter and store all my Cisco products with their software version. The tool should be able to show or email all vulnerabilities and fixed releases of the devices. Of course not by checking the real configuration but it should result in a repprt like software checker does but for all my products and sw versions.
This could simplify the vulnerability checking.
Where do we get on a mailing list for this publication?
Hi Chris, thanks for taking the time to provide feedback. We’re also glad you’re finding the IOS Software Checker so useful. Cisco is absolutely committed to improving and/or expanding these kinds of tools– keep an eye on the Cisco Security Portal for any future announcements. I’m sure you’re already aware of this feature, but the IOS checker can accept and parse a .txt file with up to 50 releases. It’s not version storage on CCO, but hopefully it helps speed up your analysis.
Hi Daniel– there’s a number of ways to receive security-related information from Cisco, including e-mail, RSS, and the Cisco Notification Service. Take a look at our Security Vulnerability Policy for more information: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html#rsvifc