March 2018 Cisco IOS and IOS XE Software Bundled Publication

March 28, 2018 - 4 Comments

Today, we released the first Cisco IOS and IOS XE Software Security Advisory Bundled Publication of 2018. As a reminder, Cisco discloses vulnerabilities in Cisco IOS Software and Cisco IOS XE Software on a predictable schedule—the fourth Wednesday of March and September in each calendar year. Today’s release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication includes 20 advisories that disclose vulnerabilities in the following technologies and features:

  • Bidirectional Forwarding Detection (BFD)
  • Cisco Umbrella Integration
  • Command-line interface (CLI)
  • Dynamic Host Control Protocol (DHCP)
  • Integrated Services Module for VPN (ISM-VPN)
  • Internet Group Management Protocol (IGMP)
  • Internet Key Exchange (IKE)
  • Internet Protocol (IP)
  • Link Layer Discovery Protocol (LLDP)
  • Quality of Service (QoS)
  • Simple Network Management Protocol (SNMP)
  • Smart Install (SMI)
  • Web-based user interface (web UI)
  • Zone-Based Firewall (ZBF)

Make sure you take a look at the Cisco Event Response—our go-to document that correlates the full array of Cisco Security resources for this bundle, including links to the advisories, CVSS scores, and Security Impact Ratings. And don’t forget about the Cisco IOS Software Checker, the quickest way to determine your exposure to vulnerabilities disclosed in this advisory bundle and to identify the earliest release (“First Fixed Release”) that corrects all the vulnerabilities described in a particular security advisory. Cisco updates the Software Checker data daily to include the most current information. And, as you may recall from last year, the Software Checker now supports queries for Cisco IOS XE Software releases. You asked for this functionality and we listened.

As the project manager who oversees the management and delivery of these bundled disclosures, I have unique insight into the level of effort and collaboration involved—a dedicated team of incident managers, a variety of partner organizations, special tooling, months of preparation, and thousands of communications. All of these come together to deliver a bundled disclosure on the fourth Wednesday of March and September in each calendar year.

Cisco PSIRT is committed to improving our disclosure processes to meet your needs. We hope the publication timeline, enhanced tooling, and additional “bundling” help your organization plan and ensure that resources are available to analyze, test, and remediate these vulnerabilities in your environments. Please let us know in the comments below. We take your feedback seriously!

The next Cisco IOS and IOS XE Software Security Advisory Bundled Publication is scheduled for September 26, 2018. Mark your calendars now. And don’t forget—for all things security, visit the Cisco Security Portal, the primary outlet and home for Cisco security intelligence content.

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. Sir,
    I want to learn more about IOS/XE. Can you suggest me some good resource? I couldn't find it on youtube and Cisco home page of IOS/XE

  2. This release of vulnerability information in IOS and IOS-XE is very informative but neither you nor "Cisco Event Response"nor IOS software checker nor any other tool provide information on when new IOS/IOS-XE images will be released to actually remediate these issues. What is the point of telling the world your software is vulnerable without providing updated software images?

    • Hi Charles–thanks for reaching out. The IOS Software Checker should be providing this information; it's the single source of truth for affected and fixed software data. The final screen should clearly identify which advisories affect the release you queried against, and the first release in the upgrade path that addresses all vulnerabilities in that document should be listed in the 'First Fixed' column. If your query identified more than one Security Advisory that affects your release(s), the tool should also provide a combined first fixed release that addressed all vulnerabilities in all documents. Please let us know if the tool isn't functioning as intended.

      Erin Float
      Cisco PSIRT Program Manager