THIS DOCUMENT AND CISCO OVAL DEFINITIONS ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
Updates of security advisories, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Customers should always check security advisories at cisco.com/go/psirt for the latest and most accurate information about Cisco security vulnerabilities.
Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html . All Cisco security advisories are available at http://www.cisco.com/go/psirt
The following links include the OVAL definitions for the Cisco IOS Software Security Advisories released since March 2010.
Note: In direct response to customer feedback, Cisco releases bundles of Cisco IOS Software Security Advisories on the fourth Wednesday of the month in March and September of each calendar year. For detailed information visit Cisco's security vulnerability policy at:
All Cisco security advisories are available at http://www.cisco.com/go/psirt
The March 2011 bundle was delayed until September 2011 due to the earthquake in Japan.
What is OVAL?
OVAL is an international community standard to promote open and publicly available security content, and to standardize the transfer of this information in security tools and services. OVAL is part of the Security Content Automation Protocol (SCAP) specifications. OVAL’s main purpose is to assist security administrators by accelerating the process of analyzing a system for the presence of a vulnerability or configuration best practices.
Note: MITRE’s OVAL website contains a detailed definition at the following link: http://oval.mitre.org/about/index.html
OVAL speeds up information exchange and processing of such security-related information. Using OVAL security administrators and other users can accelerate the process of detecting software vulnerabilities in Cisco IOS Software. OVAL content (often called “definitions”) can be downloaded directly from Cisco IOS security advisories. Each Cisco IOS security advisory includes a link to the corresponding OVAL definition(s).
What Are OVAL Definitions?
OVAL Definitions are XML files that contain information about how to check a system for the presence of vulnerabilities, configuration issues, patches, installed applications, or other characteristics of such system. For vulnerability checks, definitions are written to check for a vulnerability, often identified by a specific Common Vulnerabilities and Exposures (CVE) identifier. OVAL definitions must comply with the OVAL Definition Schema, and should be written in accordance with the Authoring Style Guide defined by MITRE. MITRE’s “OVAL Definition Lifecycle” website has a detailed description of the OVAL definition process: http://oval.mitre.org/repository/about/stages.html
OVAL enables interoperability between security and network management products from different vendors in different vertical markets allowing them to quickly and automatically perform vulnerability and compliance assessment of network infrastructure and networking devices. All organizations participating in the OVAL Adoption Program are listed in MITRE’s website at: http://oval.mitre.org/adoption/participants.html
The following whitepaper provides a detailed description of the SCAP components and other security automation specifications, as well as step-by-step instructions on how to use OVAL content with available open source tools:
A frequently asked questions (FAQ) document has been published at the following location to help answer some of the common questions related to Cisco’s OVAL adoption: