Patch February is the new patch Tuesday
We have been talking for some time about the bugs lurking in old code, in fact we predicted that there would be an increase in vulnerability discovery (specifically in old libraries) during 2016.
Following on from ShellShock, Heartbleed, Venom, Ghost etc. They are really coming out of the woodwork now. We have seen serialisation issues in Java, which have caused emergency patching followed quickly by numerous vulnerabilities in IKE code and now in the Glibc library found in almost anything running Unix, and Unix components – servers, routers, the lot.
What this has meant for ITC is a raft of critical patching, in the case of the IKE vulnerability, major upgrades to a large number of Cisco ASA devices. The fact that Cisco didn’t have a patch for the version of code in use at many of our customers meant that we had to rewrite a large number of firewall configurations to support new code. Just as we finished executing these upgrades, Cisco patched the older code, a significantly smaller patch effort, thanks.
To add insult to injury, no sooner has the dust settled and Cisco announce another, albeit ‘High’ rather than ‘Critical’, vulnerability announced here.
This issue affects not only a swathe of Cisco equipment but also many RedHat servers. Here is the RedHat advisory.
Building a robust process to analyse these announced vulnerabilities, establish the risk they pose to your stuff and prioritising remediation activity is essential,and we are always working to improve the quality of ours for our NetSure360° managed service customers.
We understand that this can be very confusing and it is sometimes hard to see the wood from the trees. If you are not a NetSure360° customer and want some advice, please contact us on: 020 7517 3900 or email us at firstname.lastname@example.org.
In the meantime, happy patching! We feel your pain.