cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5266
Views
2
Helpful
6
Replies

What is the exact meaning of end of vulnerability/security support?

theerapongpomp
Level 1
Level 1

Hi,

I have a question after checking the EOL and from management perspective what is the meaning of end of vulnerability/security support exactly?

it mentions "The last date that Cisco Engineering may release a planned maintenance release or scheduled software remedy for a security vulnerability issue."  I can see it stops before 2 years of EOL. 

What happens if there is vulnerability after it? how cisco handle it?

 

Thanks.

6 Replies 6

Leo Laohoo
Hall of Fame
Hall of Fame

Regardless if the vulnerability is "(actively) exploited" or not, after that date, any security vulnerability reported will not be investigated & any vulnerability will not be fixed.

 

Hi,

Thanks for information. May i know more in case of security advisory reports, Cisco won’t do anything? Like recent report of Log4J or anything else, they are quite critical. 

I just wonder the End of Life will take 2 years after, how are they going to support is if they find related vulnerabilities. 

Thanks. 


@theerapongpomp wrote:
Like recent report of Log4J or anything else, they are quite critical. 

Log4J is "old news".  Patches and fixed software has already been released.

Joseph W. Doherty
Hall of Fame
Hall of Fame

It means you're on your own.

Software fixes for any issue no longer provided.

Further, Cisco might not even publish whether your software is vulnerable to a new security hole documented on supported systems.

As an aside, is this situation end-of-the-world?  Possibly not; many variables involved to determine actual threat level (somewhat like assessing zero day exploits) and what's tolerable, or not, to you.


@Joseph W. Doherty wrote:

As an aside, is this situation end-of-the-world?  Possibly not; many variables involved to determine actual threat level (somewhat like assessing zero day exploits) and what's tolerable, or not, to you.


Hi all,

Thank you @theerapongpomp for starting the discussion. The additional milestone (EoVSS) on Cisco's product lifecycle is a painful experience for S/I partner fronting Cisco's business towards clients.  

As at 2023-10-02, Cisco's EOL Policy on product lifecycle does not discuss the new EOVSS milestone (see attached screen-grab of milestone table). Now, when complying to clauses regarding lifecycle, we are faced with the prospect of declaring a product's lifespan to be only 3 years from End-of-Sale, instead of 5 years. And it makes the depreciation cost of Cisco's products higher.

I am also reading the EOVSS description as Cisco Engineering releasing planned maintenance release or scheduled software remedy, suggesting that Cisco will still produce hotfixes for vulnerabilities discovered and reported by clients. So, it seems all is not doom-and-gloom, but for clients needing to run 24x7 commercial services, it becomes an Achillies heel.

Can anyone volunteer insights if this EOVSS milestone is norm with Cisco's competitors too?

Is the conclusion that a if a Zero Day comes out Cisco will release a fix?  Example, VEDGE 1000 will have Public Internet IP address for Transport in VPN 0.  If a remote code execution bug is found cisco will release a fix?  I have Smartnet on Vedge until January 31, 2026 but the End of Vulnerability/Security Support: 
HW  ended on  Jan. 30, 2024

Review Cisco Networking for a $25 gift card