Security Update Policy

Aviatrix announces security updates and fixes in Critical Patch Update Advisories, PSIRT Advisories, Security Alerts, and Release Notes. You can also set email notifications to alert specific groups about different types of notifications.

Aviatrix discloses vulnerabilities and security through several channels:

While deploying our collective multicloud architecture, it is preferable to have the upgrades within a maintenance window. The Aviatrix Product Security Team intends to help routine operations by having quarterly security releases so that upgrade operations can be planned for in advance. If you have any questions, please open an Aviatrix Support ticket.

Patch Tuesday

The Aviatrix Product Security Team intends to ship a security release on the 1st Tuesday of every third month. A Patch Tuesday can consist of image releases, software releases, or both. Announcements will be made two weeks before a Patch Tuesday release including whether the release will contain image or software releases.

  • These security releases may contain fixes for multiple CVEs.

  • All fixes that are included will be described in the Patch Tuesday release notes.

The schedule for the Patch Tuesday release is as follows:

  1. 02 Aug 2022

  2. 01 Nov 2022

  3. 07 Feb 2023

  4. 02 May 2023

Unscheduled Security Releases

Aviatrix attempts to ship all security fixes in a Patch Tuesday release. Exceptions to this policy may be made for critical vulnerabilities. Examples of these include:

  • Externally exploitable denial of service vulnerabilities affecting the data plane.

  • Unauthorized externally exploitable remote code execution affecting either the control plane or the data plane.

  • Zero-day vulnerabilities: Dependent on context, zero-day generally means a public, unpatched vulnerability.For purposes of this document, we are referring to public, unpatched vulnerabilities that are actively exploited.

Early Disclosure List

The intent of the early disclosure list is to notify you that an upgrade is coming at a specific date and time so that you can prepare a maintenance window to upgrade.The early disclosure email purposely limits vulnerability details prior to release so that when the public becomes aware of a vulnerability, a fix is available. To subscribe to early disclosure email list, please open a ticket with Aviatrix Support.

Updated Software Packages

An Aviatrix security update may include the following software packages: