Problem with approval?
Give Ci$Co a break. It's not easy getting the NSA's approval for patches that might affect their operations.
A previous patch for Cisco's Jabber chat product did not in fact fix four vulnerabilities – including one remote code execution (RCE) flaw that would allow malicious people to hijack targeted devices by sending a carefully crafted message. Norwegian infosec biz Watchcom spotted the vulnerabilities, having been asked by a …
PFY: I've think I've fixed the bug that was reported.
BOFH: Are you sure? If that bug was in the original code don't you think that they might have a few others?
PHB: STFU, release the patch and we'll monitor the downloads and send everyone an advert for a new product. We can fix the other bugs later and generate more downloads and data collections, our bugs make us money.
Jabber, or XMPP as we call it nowadays, is just a protocol. The protocol is not the culprit; it is beyond any suspicion. The culprit is faulty (or backdoored, to be precise) SW in the case of Cisco, or a malicious App in the case of Alcatel. But who uses Cisco in the first place? I for one would never ever use Cisco (nor any other US-supplied network gear), particularly not for XMPP.
"We followed our well-established security vulnerability process"
Well, it's good to know that THAT is what it is called. Maybe you should try a "vulnerability elimination process"
"We followed our well-established security vulnerability process"
Maybe you should try UNestablishing it, then. This one seems broken. Uhh...where do I report a bug?
"We followed our well-established security vulnerability process"
You know, maybe if you were to establish a process for not creating security vulnerabilities in the first place, and following that, we could all save some time.
Cisco is not the only one ... Aruba has published ARUBA-PSA-2020-012:
* Buffer Overflow Vulnerabilities in the PAPI protocol (CVE-2020-24633) - CVSSv3 Score of 9.8
* Unauthenticated Remote Command Injection Vulnerability (CVE-2020-24634) - CVSSv3 Score of 9.8
* Secureboot Bypass vulnerability in 90xx series gateways (CVE-2020-10713, CVE-2020-24637) - CVSSv3 Score of 8.0