Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Cisco Introduces New Vulnerability Disclosure Format

Cisco has announced a new and more streamlined format for disclosing security vulnerabilities in an effort to make it easier for network administrators to prioritize their response.

Cisco has announced a new and more streamlined format for disclosing security vulnerabilities in an effort to make it easier for network administrators to prioritize their response.

Up until now, critical and high severity vulnerabilities were detailed in Cisco Security Advisories, while medium and low severity issues were documented in Cisco Security Alerts. The networking giant wants to make it easier for customers to access information on vulnerabilities in its products so it has decided to merge all security advisories and alerts, regardless of their severity, into Cisco Security Advisories.

Based on feedback from customers, Cisco has made the security advisory listing page easier to navigate and it has simplified the process of searching for specific advisories. The advisories themselves have also been made easier to read, and updates to existing advisories are now more apparent.

In addition to classifying vulnerabilities based on their CVSS, Cisco has introduced a Security Impact Rating (SIR) system that rates flaws as having critical, high, medium or low severity based on their CVSS score. The SIR has been made highly visible in each advisory.

“Our goal in introducing this new security vulnerability disclosure document format is to better inform customers about security vulnerabilities in a consistent and transparent way,” said Omar Santos, principal engineer at Cisco’s product security incident response team (PSIRT).

Advisories have also been made available in the Common Vulnerability Reporting Framework (CVRF) format, a security automation standard that provides a common language for exchanging vulnerability advisories. New RSS feeds have been added for the CVRF format and for Open Vulnerability and Assessment Language (OVAL) content related to security holes in IOS software.

John Stewart, who leads Cisco’s Security and Trust Organization, revealed in a blog post on Monday that the company also plans on rolling out an API to help customers automate vulnerability assessment and empower them to customize security flaw notifications.

Cisco advises customers to check out the company’s Security Vulnerability Policy for additional details on receiving threat, vulnerability and mitigation information, and to find out more about its vulnerability management process.

Advertisement. Scroll to continue reading.

On Monday, Cisco also published a couple of advisories detailing newly disclosed vulnerabilities affecting the Aironet 1850 Series Access Point device and the RADIUS client feature in IOS software.

According to the company, Aironet 1850 devices are plagued by a vulnerability that allows a local, authenticated attacker to elevate privileges (CVE-2015-6315). The RADIUS client is affected by a denial-of-service (DoS) vulnerability that can be exploited by a remote, authenticated attacker to cause devices to reload (CVE-2015-6263). Cisco has released software updates to address both flaws.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.