We understand that the web is needed, but If this bug affect the web-management only, to block the access to the web o directly disable it could allow the customer a few more days to deploy a new version. The alternative is to shut down the cluster to do not be exposed and disrupt the service.  
Take into account that the customer may have a previous version due to some specific reason, that may be unsupported HW, unsupported VMware version, compatibility with other machines, integrations, etc that may slowdown the upgrade.

When we face controversial information it generates some concerns and distrust...

In one hand, the advisory and bugs mentions that the problem affects web-management interface only and reading how a CSRF works and the related CWE-352 that states: "An attacker could effectively perform any operations as the victim. If the victim is an administrator or privileged user, the consequences may include obtaining complete control over the web application... Because the attacker has the identity of the victim, the scope of CSRF is limited only by the victim's privileges", it lead us to interpret that the device used to access the Expressway web-management is the one that must be compromised and that it is related with logins and its privileges.

By the other hand, the information received confirms that it affects the web-management interface only but also says that the vulnerability affects the entire system and anyone with network access to the Expressway could exploit this vulnerability.

There are thousands of Expressways running on HW/hosts that cannot be quickly upgraded to the fixed releases and I think that an advisory with that magnitud should be better written and detailed. 

Best Regards

Does it affect Exp Version 14.0.7 ? The bug says the affected version is 14.0.3 ?

It say clearly that any version prior to 14.0 and including any 14.0 is affected. You need to be on 14.3.4 or 15.0.0 to not be affected.

We are running release 14.3.3.  Do we need to upgrade to 14.3.4 or are we good since it says effects 14.0 and earlier?  

Fixed release is X14.3.4. So every things else / lower than this version is affected.

How hard can this be. Did you even read the previous answer before you asked?

The release note explicitly indicates version 14.3.4, and if you are currently on 14.3.3, you are indeed affected and should upgrade to the fixed versions, which is 14.3.4

hello @Nithin Eluvathingal  ,Does this bug affect MRA calls? Or internal calls on EXP?

The defect is not related to any specific service that runs on Expressway, it affects the whole Expressway. So anything on Expressway below the mentioned fixed versions, ie x14.3.4 and x15.0.0, are affected, regardless what services the Expressway provides.

According to the advisory: YES

Yes. You need to be on 14.3.4 or 15.0.0 to not be affected.