02-19-2023 12:20 AM
Hi,
I have a question after checking the EOL and from management perspective what is the meaning of end of vulnerability/security support exactly?
it mentions "The last date that Cisco Engineering may release a planned maintenance release or scheduled software remedy for a security vulnerability issue." I can see it stops before 2 years of EOL.
What happens if there is vulnerability after it? how cisco handle it?
Thanks.
02-19-2023 12:57 AM - edited 02-19-2023 12:58 AM
Regardless if the vulnerability is "(actively) exploited" or not, after that date, any security vulnerability reported will not be investigated & any vulnerability will not be fixed.
02-19-2023 02:10 AM
Hi,
Thanks for information. May i know more in case of security advisory reports, Cisco won’t do anything? Like recent report of Log4J or anything else, they are quite critical.
I just wonder the End of Life will take 2 years after, how are they going to support is if they find related vulnerabilities.
Thanks.
02-19-2023 02:24 AM
@theerapongpomp wrote:
Like recent report of Log4J or anything else, they are quite critical.
Log4J is "old news". Patches and fixed software has already been released.
02-19-2023 04:39 AM
It means you're on your own.
Software fixes for any issue no longer provided.
Further, Cisco might not even publish whether your software is vulnerable to a new security hole documented on supported systems.
As an aside, is this situation end-of-the-world? Possibly not; many variables involved to determine actual threat level (somewhat like assessing zero day exploits) and what's tolerable, or not, to you.
10-01-2023 08:50 PM
@Joseph W. Doherty wrote:
As an aside, is this situation end-of-the-world? Possibly not; many variables involved to determine actual threat level (somewhat like assessing zero day exploits) and what's tolerable, or not, to you.
Hi all,
Thank you @theerapongpomp for starting the discussion. The additional milestone (EoVSS) on Cisco's product lifecycle is a painful experience for S/I partner fronting Cisco's business towards clients.
As at 2023-10-02, Cisco's EOL Policy on product lifecycle does not discuss the new EOVSS milestone (see attached screen-grab of milestone table). Now, when complying to clauses regarding lifecycle, we are faced with the prospect of declaring a product's lifespan to be only 3 years from End-of-Sale, instead of 5 years. And it makes the depreciation cost of Cisco's products higher.
I am also reading the EOVSS description as Cisco Engineering releasing planned maintenance release or scheduled software remedy, suggesting that Cisco will still produce hotfixes for vulnerabilities discovered and reported by clients. So, it seems all is not doom-and-gloom, but for clients needing to run 24x7 commercial services, it becomes an Achillies heel.
Can anyone volunteer insights if this EOVSS milestone is norm with Cisco's competitors too?
07-12-2024 04:45 AM
Is the conclusion that a if a Zero Day comes out Cisco will release a fix? Example, VEDGE 1000 will have Public Internet IP address for Transport in VPN 0. If a remote code execution bug is found cisco will release a fix? I have Smartnet on Vedge until January 31, 2026 but the End of Vulnerability/Security Support:
HW ended on Jan. 30, 2024
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide