Conflicting advice between 12-10-19 Target Path and 1-8-2020 Security Advisory 20190815

  • 2
  • Question
  • Updated 2 months ago

I'm looking at updating my current ICX firmware. The "Ruckus Networks - Security Advisory ID 20190815 FAQ", updated on 1-8-2020, is listed with a vulnerability score of 7.5 (HIGH) and state that "...all customers are strongly encouraged to apply the fix once available." All versions of ICX are listed as vulnerable. The recommended action being to upgrade 8092GA.

I reviewed the "Ruckus ICX Target Path Selection Guide", which was updated on 12-10-19. The current target path for ICX 7150-C12P is 08.0.90d.

The Target Path Selection Guide states:

The recommended release may be different from the latest Ruckus FastIron release for that platform. It could be the case that critical fixes that Ruckus wants all customers to use were done as part of the recommended release, and because this release has not experienced the customer exposure of two months, it would not yet be deemed a Target Path release. After the customer exposure time is met, it is possible that this recommended release could be promoted to a Target Path release.

Since the 08.0.92 GA was released more than two months ago, on 11-7-2019, then the guide is implying that a stable release would be promoted to the target path release. The 08.0.92 GA firmware release has not been promoted, so does Ruckus feel it is not stable? 08.0.x2a is a maintenance or minor feature release. 08.0.xyd is a patch release. Would then the wisest choose for a safe and stable version be to upgrade to 08.0.92d?

It appears that the Target Path Selection Guide's intention is to target a feature release (08.0.Xya) and for admins to upgrade to the current minor feature and/or patch releases, 'y' and 'a' releases. Why then does the guide list a patch version as the current target path? If the intention is to remain current, then would listing something like 08.0.9ya be clearer?

Photo of Michael Fisher

Michael Fisher

  • 1 Post
  • 0 Reply Likes

Posted 2 months ago

  • 2
Photo of Simon

Simon, Employee

  • 99 Posts
  • 52 Reply Likes
Hi Michael

The security advisories were first addressed in 8.0.92 and then later 8.0.90f, any later releases will be good as well.

Not all software versions become Target Path releases, we typically (but not always) select every other major release to become a TP candidate and it is then tracked across a number of metrics such as how widely deployed it is, the number and severity of incoming defects, feedback from TAC and PS on breadth of deployment, etc.

8.0.90 was the last TP candidate and it met the required criteria in the .90d version and thus became the recommended release. The next candidate will be 8.0.95 (due out in a couple of months) and this will be tracked and declared TP when it hits the required metrics. 8.0.95 has been selected due to a number of features it contains will mean that it is likely to be highly desirable for a broad range of customers.

A non-TP release is not bad, it just hasn't been measured against the TP metrics.

In your case the recommendation would be that unless you need the features that were added in the later releases then the best option is to go with the TP release, or a later derivative i.e. 8.0.90d or .90f. If you need one of the features introduced in a later release then go with the latest patch release of the version that you need e.g. 8.0.92d.

Let me know if you need any further clarification.