Today, we released the first of two semiannual Cisco IOS & XE Software Security Advisory Bundled Publications of 2016. (As a reminder, Cisco discloses IOS & XE vulnerabilities on a predictable schedule—the fourth Wednesday of March and September in each calendar year).   Today’s edition of the Cisco IOS & XE Software Security Advisory Bundled Publication includes six advisories that affect the following technologies:

  • DHCPv6 Relay
  • Session Initiation Protocol (SIP)
  • Smart Install
  • Wide Area Application Services (WAAS) Express
  • Locator/ID Separation Protocol (LISP)
  • Internet Key Exchange Version 2 (IKEv2)

Alongside this disclosure, we are pleased to announce that the Cisco IOS Software Checker will now support queries against Cisco IOS XE Software. This is a direct result of your feedback—you asked for this functionality, and we listened. All existing features will now function for Cisco IOS XE Software. Additionally, search results include the first-fixed release information for all vulnerabilities disclosed in the March 2016 publication. You may notice the absence of the IOS XE fixed software tables in affected security advisories; instead, the Cisco IOS Software Checker data is updated daily to include the most current information on recent Cisco IOS & XE Software releases.  I encourage you to take a spin around the enhanced tool now.

Make sure you also take a look at the Cisco Event Response—our go-to document that correlates the full array of Cisco Security resources for this bundle (including links to the advisories, CVSS scores and SIR ratings, and OVAL & CVRF content). As the project manager who oversees the management and delivery of these bundled disclosures, I have a unique perspective of the level of effort and collaboration involved. A dedicated team of incident managers, a variety of partner organizations, special tooling, months of preparation, thousands of communications—these all come together on the fourth Wednesday of March and September.

Cisco PSIRT is committed to improving our disclosure processes to meet your needs. We hope these publication timelines, enhanced tooling, and additional “bundling” helps your organizations plan and ensure resources are available to analyze, test, and remediate these vulnerabilities in their environments.  Let us know in the comments below!

The next Cisco IOS Software Security Advisory Bundled Publication is scheduled for September 28, 2016. Mark your calendars now. And don’t forget—for all things security, visit the Cisco Security Portal, the primary outlet for Cisco’s security intelligence and the public home to all our security-related content.


Erin Float

Project Manager

Security Research and Operations Group