Security Update Policy¶
This page lists announcements of security fixes made in Critical Patch Update Advisories, Security Alerts, and Release Notes and it is updated when new Critical Patch Update Advisories, Security Alerts, and Release Notes are released.
We currently disclose vulnerabilities and security releases via numerous channels:
- Aviatrix Controller and Gateway Release Notes
- PSIRT Advisories
- Early Disclosure Mailing List
- Customers can also subscribe to notices of fix availability via the Email Notifications.
While deploying our collective multi-cloud architecture, it is preferable to have the upgrades within a maintenance window. The Aviatrix Product Security Team intends to help routine operations by having quarterly security releases so that upgrade operations can be planned for in advance. If you have any questions, please open a support ticket at Aviatrix Support Portal.
The Aviatrix Product Security Team is intending to ship a security release on the 1st Tuesday of every third month. A Patch Tuesday can consist of image releases, software releases, or both. Announcements will be made two weeks before a Patch Tuesday release including whether the release will contain image or software releases.
- These security releases may contain fixes for multiple CVEs.
- All fixes that are included will be described in the Patch Tuesday release notes.
- The schedule for the Patch Tuesday release is as follows:
Unscheduled Security Releases¶
Aviatrix attempts to ship all security fixes in a Patch Tuesday release. Exceptions to this policy may be made for critical vulnerabilities. Examples of these include:
- Externally exploitable denial of service vulnerabilities affecting the data plane.
- Unauthorized externally exploitable remote code execution affecting either the control plane or the data plane.
- Zero-day vulnerabilities: Dependent on context, zero-day generally means a public, unpatched vulnerability. For purposes of this document, we are referring to public, unpatched vulnerabilities that are actively exploited.
Early Disclosure List¶
The intent of the early disclosure list is to notify you that an upgrade is coming at a specific date and time so that you can prepare a maintenance window to upgrade. The early disclosure email purposely limits vulnerability details prior to release so that when the public becomes aware of a vulnerability, a fix is available.