Patching Evaluated Products

Summary

  1. This Broadcast reaffirms DSD advice that Australian Government agencies patch known vulnerabilities in all products as they are discovered, where the decision to do so is based on an agency-conducted risk assessment.
  2. Products being used to protect highly classified information, which have been certified through DSD's High Assurance program, are excluded from this recommendation.

Details

  1. In the Australian Government Information Security Manual (ISM) and Strategies to Mitigate Targeted Cyber Intrusions, DSD recommends agencies apply security patches to applications and operating systems, or upgrade to the latest version, as soon as possible after release. DSD also advises that agencies select ICT products which have been formally evaluated by DSD or a DSD-recognised evaluation program, and which have the desired security functionality in the scope of the product's evaluation.
  2. Implementing this advice has become more complex in the case of patching evaluated products, since patching can potentially place a product in an unevaluated configuration. This is not a typical outcome, however, some security patches (particularly when bundled in a service patch or major release) introduce new functionality into products which has not been evaluated. This can affect the confidence gained through the evaluation process that the product performs in a secure manner and as claimed by the vendor.
  3. In the majority of cases, the latest patched product version is more secure than the older evaluated product version. Accordingly, DSD recommends patching known vulnerabilities as they are discovered. As a general rule, mitigating known vulnerabilities is more crucial than avoiding potential unknown vulnerabilities.
  4. However, any decision to patch an evaluated product should be based on an agency-conducted security risk assessment. Either option involved with patching evaluated products will present risks which need to be understood and formally accepted. In particular:
    1. Patching (particularly when the patch also contains feature enhancements, such as a service pack) could introduce new vulnerabilities that would typically be identified during an evaluation, and which could break compliance with the associated consumer guide.
    2. Not applying patches will mean the system is susceptible to known vulnerabilities and its security will degrade over time.

Exceptions

  1. Products being used to protect highly classified information, which have been certified through DSD's High Assurance program, are excluded from this recommendation. In accordance with the ISM, agencies must not patch high assurance products without DSD approval.

Further information

  1. Further information can be found in the Australian Government Information Security Manual and Strategies to Mitigate Targeted Cyber Intrusions.

Contact

Australian government customers with questions regarding this advice can contact ASD Advice and Assistance.

Australian businesses and other private sector organisations seeking further information should contact CERT Australia.