We know that communicating quickly and openly about security vulnerabilities can result in a little extra public attention for Cisco. As a trustworthy vendor, this is something we’re happy to accept.
It’s recently been said that there is only one thing being discussed by IT security people right now – the OpenSSL heartbeat extension vulnerability (aka Heartbleed). As the guy responding to related media questions for Cisco, that certainly rings true.
This is an industry-wide issue affecting commonly-used, open source encryption software. Some of my colleagues recommended this blog or this blog for an overview of the topic.
Cisco was one of the first to provide a comprehensive update for our customers (April 9): OpenSSL Heartbeat Extension Vulnerability in Multiple Cisco Products. This advisory continues to be updated, and at the time of this posting was on its fourth version. It provides an overview of the topic, and a full list of the Cisco products confirmed as affected, remediated, or not affected. It also links to more information, including any available workarounds or free software updates.
Our customers can rely on the fact that our response will be managed according to our long-standing security disclosure policy. This means providing the best information we have, as quickly as possible, even if that information could be incomplete at the time. As we continue to make progress, we will continue to update our public-facing information.
To our customers: we recommend staying connected to this information, and consider any implications for your network.
I think you are not being open and helpful enough. You could atleast launch a separate website e.g heartbleedpatches.com or heartbleedbug.com etc to ease your customers’ problem.
Aftab,
I appreciate the suggestion. The separate website would be a once off, but we’ve found that including ALL of our security advisories in the one place (see http://www.cisco.com/go/psirt) means that our customers know where to go every time.
Nigel.
But what about the cisco.com website? Is it safe to change our passwords on the site? What about the Learning Network website? Or other components of Cisco’s web presence? This vulnerability is targeted at websites, and while Cisco products are affected, what people come here trying to find out is whether cisco.com was affected, and that information isn’t easy to find. Lastpass can’t even tell, and they’re at the forefront of mediating this bug for users.
Hi Dan.
I’ve checked overnight with the Cisco Security Incident Response Team. We’re not aware of any Cisco.com infrastructure that was vulnerable to Heartbleed. Although there is no need to change your password, you are of course welcome to do so. Unfortunately I’m not familiar with how the Learning Network website is hosted, so please let me look into that and come back to you.
Nigel.
Dan,
I’ve confirmed that the initial testing has shown that the Cisco Learning Network is NOT affected by this vulnerability.
Nigel.
Since you published all affected products and some of them are without fixes/patches right now, just wondering whether Cisco has defined SLA for R&D teams to finish the patch? If yes, what are the timeframe for patch release, will you publish the schedule as a total transparency.
Hi Bin Zhou,
Many thanks for your question. Working alongside the Cisco PSIRT as I do, I know they’re focused on delivering patches for the Cisco products in your network ASAP. You raise a great suggestion about including forecast delivery dates. I’ll take this back to the team.
Nigel.