Today, we released the first Cisco IOS & IOS XE Software Security Advisory Bundled Publication of 2017. (As a reminder, Cisco discloses vulnerabilities in Cisco IOS and IOS XE Software on a predictable schedule—the fourth Wednesday of March and September in each calendar year).  Today’s edition of the Cisco IOS & IOS XE Software Security Advisory Bundled Publication includes five advisories that disclose vulnerabilities in the following technologies:

  • DHCP client
  • Layer 2 Tunneling Protocol (L2TP)
  • Zero Touch Provisioning
  • Web framework
  • Web user interface

This bundled publication is the first that uses Version 3 of the Common Vulnerability Scoring System (CVSSv3), which is the latest version of this industry standard. CVSSv3 allows vendors to better analyze the impact of security vulnerabilities and more clearly define the urgency of response for customers. For more information, see the announcement from my colleague, Omar Santos. Other than this change, today’s publication should feel fairly familiar.

Make sure you take a look at the Cisco Event Response—our go-to document that correlates the full array of Cisco Security resources for this bundle, including links to the advisories, CVSS scores, Security Impact Ratings, and OVAL and CVRF content. And don’t forget about the Cisco IOS Software Checker, the quickest way to determine your exposure to vulnerabilities disclosed in this advisory bundle and to identify the earliest release (“First Fixed Release”) that corrects all the vulnerabilities described in a particular security advisory. Cisco updates the Software Checker data daily to include the most current information. And, as you may recall from the last bundled publication, the Software Checker now supports queries for Cisco IOS XE Software releases. You asked for this functionality and we listened.

As the project manager who oversees the management and delivery of these bundled disclosures, I have unique insight into the level of effort and collaboration involved—a dedicated team of incident managers, a variety of partner organizations, special tooling, months of preparation, and thousands of communications. All of these come together to deliver a bundled disclosure on the fourth Wednesday of March and September each calendar year.

Cisco PSIRT is committed to improving our disclosure processes to meet your needs. We hope the publication timeline, enhanced tooling, and additional “bundling” help your organization plan and ensure resources are available to analyze, test, and remediate these vulnerabilities in your environments. Please let us know in the comments below. We take your feedback seriously!

The next Cisco IOS & IOS XE Software Security Advisory Bundled Publication is scheduled for September 27, 2017. Mark your calendars now. And don’t forget—for all things security, visit the Cisco Security portal, the primary outlet and home for Cisco security intelligence content.


Erin Float

Project Manager

Security Research and Operations Group