Re: What is the exact meaning of end of vulnerability/security support

theerapongpomp · ‎02-19-2023

Hi,

I have a question after checking the EOL and from management perspective what is the meaning of end of vulnerability/security support exactly?

it mentions "The last date that Cisco Engineering may release a planned maintenance release or scheduled software remedy for a security vulnerability issue." I can see it stops before 2 years of EOL.

What happens if there is vulnerability after it? how cisco handle it?

Thanks.

Leo Laohoo · ‎02-19-2023

Regardless if the vulnerability is "(actively) exploited" or not, after that date, any security vulnerability reported will not be investigated & any vulnerability will not be fixed.

theerapongpomp · ‎02-19-2023

Hi,

Thanks for information. May i know more in case of security advisory reports, Cisco won’t do anything? Like recent report of Log4J or anything else, they are quite critical.

I just wonder the End of Life will take 2 years after, how are they going to support is if they find related vulnerabilities.

Thanks.

Leo Laohoo · ‎02-19-2023

@theerapongpomp wrote:
Like recent report of Log4J or anything else, they are quite critical.

Log4J is "old news". Patches and fixed software has already been released.

Joseph W. Doherty · ‎02-19-2023

It means you're on your own.

Software fixes for any issue no longer provided.

Further, Cisco might not even publish whether your software is vulnerable to a new security hole documented on supported systems.

As an aside, is this situation end-of-the-world? Possibly not; many variables involved to determine actual threat level (somewhat like assessing zero day exploits) and what's tolerable, or not, to you.

What is the exact meaning of end of vulnerability/security support?