Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3199
Views
2
Helpful
5
Replies

What is the exact meaning of end of vulnerability/security support?

theerapongpomp
Level 1
Level 1

‎02-19-2023 12:20 AM

Hi,

I have a question after checking the EOL and from management perspective what is the meaning of end of vulnerability/security support exactly?

it mentions "The last date that Cisco Engineering may release a planned maintenance release or scheduled software remedy for a security vulnerability issue."  I can see it stops before 2 years of EOL. 

What happens if there is vulnerability after it? how cisco handle it?

 

Thanks.

1 person had this problem
Labels:
0 Helpful
5 Replies 5

Leo Laohoo
Hall of Fame
Hall of Fame

‎02-19-2023 12:57 AM - edited ‎02-19-2023 12:58 AM

Regardless if the vulnerability is "(actively) exploited" or not, after that date, any security vulnerability reported will not be investigated & any vulnerability will not be fixed.

 

0 Helpful

theerapongpomp
Level 1
Level 1
In response to Leo Laohoo

‎02-19-2023 02:10 AM

Hi,

Thanks for information. May i know more in case of security advisory reports, Cisco won’t do anything? Like recent report of Log4J or anything else, they are quite critical. 

I just wonder the End of Life will take 2 years after, how are they going to support is if they find related vulnerabilities. 

Thanks. 

Leo Laohoo
Hall of Fame
Hall of Fame
In response to theerapongpomp

‎02-19-2023 02:24 AM

@theerapongpomp wrote:
Like recent report of Log4J or anything else, they are quite critical. 

Log4J is "old news".  Patches and fixed software has already been released.

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame

‎02-19-2023 04:39 AM

It means you're on your own.

Software fixes for any issue no longer provided.

Further, Cisco might not even publish whether your software is vulnerable to a new security hole documented on supported systems.

As an aside, is this situation end-of-the-world?  Possibly not; many variables involved to determine actual threat level (somewhat like assessing zero day exploits) and what's tolerable, or not, to you.

sze_t
Level 1
Level 1
In response to Joseph W. Doherty

‎10-01-2023 08:50 PM

@Joseph W. Doherty wrote:

As an aside, is this situation end-of-the-world?  Possibly not; many variables involved to determine actual threat level (somewhat like assessing zero day exploits) and what's tolerable, or not, to you.

Hi all,

Thank you @theerapongpomp for starting the discussion. The additional milestone (EoVSS) on Cisco's product lifecycle is a painful experience for S/I partner fronting Cisco's business towards clients.  

As at 2023-10-02, Cisco's EOL Policy on product lifecycle does not discuss the new EOVSS milestone (see attached screen-grab of milestone table). Now, when complying to clauses regarding lifecycle, we are faced with the prospect of declaring a product's lifespan to be only 3 years from End-of-Sale, instead of 5 years. And it makes the depreciation cost of Cisco's products higher.

I am also reading the EOVSS description as Cisco Engineering releasing planned maintenance release or scheduled software remedy, suggesting that Cisco will still produce hotfixes for vulnerabilities discovered and reported by clients. So, it seems all is not doom-and-gloom, but for clients needing to run 24x7 commercial services, it becomes an Achillies heel.

Can anyone volunteer insights if this EOVSS milestone is norm with Cisco's competitors too?

Preview file
251 KB
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card