Security Advisory for firewalls published 19 july

mMontana
mMontana Posts: 1,071
1000 Comments 25 Answers Friend Collector Third Anniversary
 Guru Member
without the damned link to wk28 file.

The way Zyxel is managing this occurrencies keep looking bad, uncomplete and unsatisfying.

All Replies

  • USG_User
    USG_User Posts: 337
    First Answer First Comment Friend Collector Fifth Anniversary
     Master Member
    I often crosscheck the European Zyxel page. This morning only WK25 was still available. But now WK28 is offered, at least for our USG110:

  • mMontana
    mMontana Posts: 1,071
    1000 Comments 25 Answers Friend Collector Third Anniversary
     Guru Member
    edited July 2022
    I already found the firmware lab page.
    Which is quite not respectful for the customer (aside a missing full fledged and verified release, due to still on support devices) is that the customer itself have to look for by itself.

    Moreover
    5.x devices have a full fledged release, with all bells and whistles like the support to auto upgrade, which WK firmwares are not.

    This tells me that "support until 31/12" for 4.x device as marketing stunt, or without policy restrains, quite a lie.
  • USG_User
    USG_User Posts: 337
    First Answer First Comment Friend Collector Fifth Anniversary
     Master Member
    edited July 2022
    Yes, I'm with you. These permanent WK lab versions do not create trust in the product, especially if an ordinary release will not offered shortly thereafter. It seems customers should be encouraged to change-over to a newer product (like USG Flex).

    Due to the end-of-life of our USG110 we have to decide what's coming next with us. But the decision is not yet taken, since we have to replace 2 devices (another device is always for cold redundancy at our production environment). This costs a lot of money again and is not sustainable to the environment, since our USG has actually still enough performance (for us).

    Will see, how we decide.
  • mMontana
    mMontana Posts: 1,071
    1000 Comments 25 Answers Friend Collector Third Anniversary
     Guru Member
    If you can avoid public network exposure for your USG110, IMVHO replacement could be delayed.
  • USG_User
    USG_User Posts: 337
    First Answer First Comment Friend Collector Fifth Anniversary
     Master Member
    mMontana said:
    If you can avoid public network exposure for your USG110, IMVHO replacement could be delayed.

    Unfortunately not. Beside our own internet access, different of our clients are connecting to our servers for different services.
  • mMontana
    mMontana Posts: 1,071
    1000 Comments 25 Answers Friend Collector Third Anniversary
     Guru Member
    Then be proactive. Device should be replaced during the end of december, for avoiding issues (and having a rollback device in case of problems)
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,216
    100 Answers 1000 Comments Friend Collector Fifth Anniversary
     Guru Member
    edited July 2022
    Hi @mMontana @USG_User

    It is because ZLD4.X and ZLD5.X firmware release schedule are different.
    ZLD5.X firmware for USG FLEX/ATP series release schedule was planed at Q3, so the vulnerability fix in 5.31C0 firmware directly.
    ZLD4.X firmware for USG/ZyWALL series release schedule planed at Q4. So we release a patch firmware USG/ZyWALL series first. We do have formal version(ZLD4.73) in the future. Of course it will full fledged and verified before it is released.

    You can download 4.72WK28 firmware from News & Release page too. :)
  • mMontana
    mMontana Posts: 1,071
    1000 Comments 25 Answers Friend Collector Third Anniversary
     Guru Member
    I don't personally need the links. But if your advisory lacks to link for lab firmwares fails the goal for speedup the upgrade and the protection of your second-choice customers.
    I write "second choice" because more over than not access to the same automated upgrade mechanism for ZLD 4.x devices, the customer have to look for the firmware files for allowing a safe (hoping) upgrade.
    Please, don't get me wrong: I'm really glad that Zyxel publish updates when vulnerabilities are reported, but this "moral suasion" to buy sooner the newer box feels bad.

Security Highlight