Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Cisco Introduces New Vulnerability Disclosure Format

Cisco has announced a new and more streamlined format for disclosing security vulnerabilities in an effort to make it easier for network administrators to prioritize their response.

Cisco has announced a new and more streamlined format for disclosing security vulnerabilities in an effort to make it easier for network administrators to prioritize their response.

Up until now, critical and high severity vulnerabilities were detailed in Cisco Security Advisories, while medium and low severity issues were documented in Cisco Security Alerts. The networking giant wants to make it easier for customers to access information on vulnerabilities in its products so it has decided to merge all security advisories and alerts, regardless of their severity, into Cisco Security Advisories.

Based on feedback from customers, Cisco has made the security advisory listing page easier to navigate and it has simplified the process of searching for specific advisories. The advisories themselves have also been made easier to read, and updates to existing advisories are now more apparent.

In addition to classifying vulnerabilities based on their CVSS, Cisco has introduced a Security Impact Rating (SIR) system that rates flaws as having critical, high, medium or low severity based on their CVSS score. The SIR has been made highly visible in each advisory.

“Our goal in introducing this new security vulnerability disclosure document format is to better inform customers about security vulnerabilities in a consistent and transparent way,” said Omar Santos, principal engineer at Cisco’s product security incident response team (PSIRT).

Advisories have also been made available in the Common Vulnerability Reporting Framework (CVRF) format, a security automation standard that provides a common language for exchanging vulnerability advisories. New RSS feeds have been added for the CVRF format and for Open Vulnerability and Assessment Language (OVAL) content related to security holes in IOS software.

John Stewart, who leads Cisco’s Security and Trust Organization, revealed in a blog post on Monday that the company also plans on rolling out an API to help customers automate vulnerability assessment and empower them to customize security flaw notifications.

Cisco advises customers to check out the company’s Security Vulnerability Policy for additional details on receiving threat, vulnerability and mitigation information, and to find out more about its vulnerability management process.

On Monday, Cisco also published a couple of advisories detailing newly disclosed vulnerabilities affecting the Aironet 1850 Series Access Point device and the RADIUS client feature in IOS software.

According to the company, Aironet 1850 devices are plagued by a vulnerability that allows a local, authenticated attacker to elevate privileges (CVE-2015-6315). The RADIUS client is affected by a denial-of-service (DoS) vulnerability that can be exploited by a remote, authenticated attacker to cause devices to reload (CVE-2015-6263). Cisco has released software updates to address both flaws.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.