topic Re: FPR-1010 - What should the version be after patching with LOG4j Ho in Endpoint Security

FPR-1010 - What should the version be after patching with LOG4j Hotfix

yleduc — Wed, 05 Jan 2022 15:37:06 GMT

Hello all,

Just patched an FPR-1010 with the Hotfix for Log4J. While Patch History says that it is there, when I look at version either through FDM or via the CLI, there are no trace of its presence. How can I confirm the patch is there and running.

In my case, I applied 6.6.5.1-15 and then the hotfix 6.6.5.2-4. The version returned is 6.6.5.1-15.

Anybody seen this behaviour ?

Thank you.

Re: FPR-1010 - What should the version be after patching with LOG4j Ho

Mohammed al Baqari — Wed, 05 Jan 2022 16:01:30 GMT

Hi,

I had same case with 7.0.1. Go to FTD CLI and from expert navigate to ls
/var/sf/updates

If you see Uninstaller for the patch created then patch was installed
successfully.

**** please remember to rate useful posts

Re: FPR-1010 - What should the version be after patching with LOG4j Ho

yleduc — Wed, 05 Jan 2022 16:43:30 GMT

Thanks Mohammed.

Yes I do have the uninstaller in the provided directory. Just wonder why they have a version number on the file but don't use it. Would be so much simpler instead of having to go into the guts of their software.

Re: FPR-1010 - What should the version be after patching with LOG4j Ho

yleduc — Wed, 05 Jan 2022 20:06:32 GMT

Update to the solution:

while searching on the problem, I found the following. if you run find / -name log4j* -print 2>/dev/null you will obtain the following in the result:

/ngfw/var/cisco/ngfwWebUi/tomcat/webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.16.0.jar
/ngfw/var/cisco/ngfwWebUi/tomcat/webapps/ROOT/WEB-INF/lib/log4j-1.2-api-2.16.0.jar
/ngfw/var/cisco/ngfwWebUi/tomcat/webapps/ROOT/WEB-INF/lib/log4j-core-2.16.0.jar
/ngfw/var/cisco/ngfwWebUi/tomcat/webapps/ROOT/WEB-INF/lib/log4j-api-2.16.0.jar

and previous files (updated by 6.6.5.2)

/ngfw/var/cisco/ngfwWebUi/ftd_onbox_6.6.5.2_previous/ROOT/WEB-INF/lib/log4j-1.2-api-2.3.jar
/ngfw/var/cisco/ngfwWebUi/ftd_onbox_6.6.5.2_previous/ROOT/WEB-INF/lib/log4j-api-2.3.jar
/ngfw/var/cisco/ngfwWebUi/ftd_onbox_6.6.5.2_previous/ROOT/WEB-INF/lib/log4j-core-2.3.jar
/ngfw/var/cisco/ngfwWebUi/ftd_onbox_6.6.5.2_previous/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.3.jar

Re: FPR-1010 - What should the version be after patching with LOG4j Ho

yleduc — Tue, 25 Jan 2022 20:08:24 GMT

while debugging an upgrade, I found the following directory for the actual status of the upgrade as you can actually follow along while the upgrade is taking place. This way, you are not kept in the dark of what is going on.

The directory is /ngfw/var/log/sf. In that directory, there is a file update_status or upgrade_status (don't remember the filename exactly) that you can tail -f to see the upgrade process taking place. There is also a subdirectory for each patch that are applied with more details.