cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
72
Total Ideas
26%
Ideas In Review
18%
Ideas Planned
14%
Ideas Completed
dzedler
Level 1
Level 1
Status: New

Advisories do not compare affected software versions of a security advisory with the ones used in the environment. A recent example is CVE-2024-6387, which just affects IOS XE 17.14, and is fixed in 17.15.1 Devices running IOS XE 17.9.x are flagged as potentially affected, but clearly cannot be affected at all.

The platform (which we pay for) should reduce manual work, not just present the same things differently. The expectation is that the manual work to compare security advisories with the environment is no longer needed, especially for such basic things like software versions. This is the promise of the service, where it currently lacks real benefit.

I even expect it to verify if I am using affected features in my environment based on the information DNAC/CCC has.

I also would like to see that acknowledgements made in the CX portal are automatically reflected in the Security Advisories section of DNAC/CCC and vice versa.

I was told in SR 697979885 that the current state is not a bug, but that everything works as designed, and asked to share my feedback in this portal.

2 Comments
Chris Camplejohn
Cisco Employee
Cisco Employee

@dzedler Thank you for your feedback.  We understand that the lack of version analysis in the automation for these advisories is frustrating.  For most advisories, the automated analysis includes the versions.  Currently, when the advisory is a 3rd Party advisory (i.e. Open Source code), we do not have the full affected release list available for automation and therefore you see them reported as "Potentially Affected".  We have this request in to our data provider for future enhancement.  The automation does look at affected features, where applicable.

Thank you also for your idea about the sync of acknowledgement of the advisories between CX Cloud and Catalyst Center.  We will get that added to the backlog for both products.

Chris Camplejohn
Cisco Employee
Cisco Employee

@dzedler I double-checked the automation logic for CVE-2024-6387 and we are also checking the running configuration to make sure netconf over SSHv2 is enabled for IOS-XE devices.