topic Re: ISE 2.7.0.356 in Network Access Control

ISE 2.7.0.356

ganeshwaree.ramburruth — Mon, 13 Dec 2021 03:59:18 GMT

Hello,

Could someone please advise which version of ISE is not affected by the log4j vulnerability?

What is the workaround if any ?

Cheers,

Gan

Re: ISE 2.7.0.356

sumitagr — Mon, 13 Dec 2021 04:58:47 GMT

Only log4j versions 2.x.x are vulnerable. Apps using log4j 1.x.x are NOT vulnerable, so no action needs to be taken on applications using the older log4j versions.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47133

Re: ISE 2.7.0.356

matt.w — Mon, 13 Dec 2021 05:29:39 GMT

I thought Apache foundation is to update all versions of log4j, as the no longer supported 1.x stream is open to this and others RCE exploits

Re: ISE 2.7.0.356

Adam Hinchliff — Mon, 13 Dec 2021 08:19:55 GMT

Are you sure? I'm reading because 1.0 is no longer supported its also impacted.

Re: ISE 2.7.0.356

AigarsK — Mon, 13 Dec 2021 23:49:34 GMT

Bit misleading as in CSCwa47133 it does not state that ISE is running older version, it also lists all versions from 2.6 to 3.1 as affected.

Re: ISE 2.7.0.356

ganeshwaree.ramburruth — Mon, 13 Dec 2021 23:54:46 GMT

Do we know on which version of log4j ISE 2.7.0.356 is using?

Re: ISE 2.7.0.356

Marcelo Morais — Tue, 14 Dec 2021 00:27:57 GMT

Hi @ganeshwaree.ramburruth ,

please take a look at Cisco ISE 2.7 Release Notes, search for log4j.

Note: CSCvs66551 Multiple Vulnerabilities in apache log4j ... solved on 2.7 P5.

Hope this helps !!!

Re: ISE 2.7.0.356

ganeshwaree.ramburruth — Tue, 14 Dec 2021 01:21:44 GMT

Hi @Marcelo Morais ,

Thanks for the info. However the 2.7 version patch 5 is addressing an another vulnerability.

The new patch for this vulnerability will be in patch 7.

Re: ISE 2.7.0.356

matt.w — Tue, 14 Dec 2021 01:46:58 GMT

OFFICIAL

So is the information listed in the Bug details not correct? Does the 3-patch4 fix this issue or not?
[cid:image001.png@01D7F0E4.62A5ED10]

Re: ISE 2.7.0.356

ganeshwaree.ramburruth — Tue, 14 Dec 2021 01:59:23 GMT

This bug CSCvs66551 is for a vulnerability dated on the 2019 and it is not relevant.Bug Search Tool (cisco.com)

I dont believe it fixes the issue. If you go on this link Bug Search Tool (cisco.com), there is still no fixed release.

Re: ISE 2.7.0.356

matt.w — Tue, 14 Dec 2021 02:24:34 GMT

Ahh my bad, I saw it was updated today with patches listed against it...... thought it was the current issues.

Re: ISE 2.7.0.356

Marcelo Morais — Thu, 16 Dec 2021 07:54:40 GMT

Hi @ganeshwaree.ramburruth ,

Cisco provided a Hot Patch for the log4j PSIRT bug - CSCwa47133.: ise-apply-CSCwa47133_Ver_24_30_allpatches-SPA.tar.gz (15-Dec-2021).

Hope this helps !!!

Re: ISE 2.7.0.356

AigarsK — Thu, 16 Dec 2021 08:26:35 GMT

Thanks Marcelo,

I am already in process of applying it on my second node.

Out of interest, is someone able to confirm if this patch is going to be persistent, that is, if I am running ISE 2.7 Patch 4 as that is the highest version mention to be compatible with Cisco DNA Center 2.2.2.3 on 2.7 platform. If this later gets compatibility for Patch 6 and I install the patch, do I have to be concerned that this hotfix gets removed and needs to be reapplied?

Thanks in advance.

Re: ISE 2.7.0.356

Marcelo Morais — Thu, 16 Dec 2021 08:36:05 GMT

Hi @AigarsK ,

I always prefer to rollback the Hot Patch before applying a regular ISE Patch release.

You are able to use the "show application" command to check the Hot Patch installation or the "show logging application hotpatch.log" to check if the Hot Patch was installed successfully.

Hope this helps !!!

Re: ISE 2.7.0.356

AigarsK — Thu, 16 Dec 2021 08:41:07 GMT

Thanks Marcelo for the advice.

Re: ISE 2.7.0.356

DennisTX — Thu, 16 Dec 2021 08:48:33 GMT

Hi,

i just downloaded the small files (4 and 5 KB) and transfered them to my repo.

Before i´ll start the installation, i have a question:

Do i need to restart the ISE nodes after installation? Can´t find any information about this in the README file.

Regards,

Dennis

Re: ISE 2.7.0.356

Marcelo Morais — Thu, 16 Dec 2021 09:14:08 GMT

Hi @DennisTX ,

during the Hot Patch installation, the Application Server restarts ... take a look at the following:

Note: remember to install the Hot Patch on all Nodes.

ise/admin# application install ise-apply-CSCwa47133_Ver_24_30_allpatches-SPA.tar.gz LOCAL
Save the current ADE-OS running configuration? (yes/no) [yes] ? yes
Generating configuration...
Saved the ADE-OS running configuration to startup successfully

Getting bundle to local machine...
Unbundling Application Package...
Verifying Application Signature...
Initiating Application Install...

Checking if CSCwa47133_all_common_1 is already applied
- Successful

Applying hot patch CSCwa47133_all_common_1
Taking backup of file /opt/CSCOcpm/elasticsearch/lib/log4j-core-*.jar
Completed backup of file /opt/CSCOcpm/elasticsearch/lib/log4j-core-*.jar
- Running hotpatch wrapper script
Removing the vulnerable class file JndiLookup.class from log4j-core
restarting application

Hot patch applied successfully
job 1 at Thu Dec 16 06:05:00 2021

Application successfully installed

ise/admin# show application
<name> <Description> 
urt Cisco ISE - Upgrade Readiness Tool
Apply_CSCwa47133_all_common_1 Apply_CSCwa47133_all_common_1
ise Cisco Identity Services Engine
Patches: 2 3 5 6

Hope this helps !!!

Re: ISE 2.7.0.356

AigarsK — Thu, 16 Dec 2021 09:16:27 GMT

Hi DennisTX,

During the installation of the HotFix, it does restart Cisco ISE Application Server, no full ISE restart required as much I can tell.

Nothing else was required apart from considerations on impact it might have on your deployment so that user authentication is not disrupted.

Re: ISE 2.7.0.356

ganeshwaree.ramburruth — Thu, 16 Dec 2021 10:01:22 GMT

Yes i am going to apply the hot fix. thanks.

Re: ISE 2.7.0.356

DennisTX — Thu, 16 Dec 2021 10:07:38 GMT

Thank you,

i´m trying to install the hotfix on our passive admin node.

But for now, it´s stuck at "building configuration" after saving the current ADE-OS running configuration for around 40 minutes. I guess this is too long.

System information:

SNS-3655-K9.

ISE: 2.7.0.356

ADE: 3.0.7.057

Any suggestions?

Regards,

Dennis