https://community.cisco.com/t5/network-access-control/cscwa47133-ise-3-1-log4j-patch-availability/m-p/4520207#M571762 <P>In fairness to Cisco, they did say that the patch was for ISE 2.4 through 3.0 - perhaps it's already fixed in ISE 3.1? Or they have not yet got around to fixing it. Or perhaps ISE 3.1 doesn't use this Apache library?&nbsp; Who knows.</P> <P>&nbsp;</P> <P>Nice try though <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 16 Dec 2021 21:46:19 GMT Arne Bier 2021-12-16T21:46:19Z https://community.cisco.com/t5/network-access-control/cscwa47133-ise-3-1-log4j-patch-availability/m-p/4519970#M571746 <P>ISE 3.1 ( 3.001(000.518) a/k/a 3.1.0.518) is listed as vulnerable, and the current patch that is available is showing for ISE 2.4-3.0.&nbsp; When will an ISE 3.1 patch become available?</P><P>&nbsp;</P><P>Also, a public service announcement:&nbsp; the 3.0 patch doesn't work on ISE 3.1 in case you get impatient like me.&nbsp;</P><P>&nbsp;</P><P>I attempted to install 2.4-3.0 patch on ISE 3.1, and the install worked, but ISE wouldn't start after the install with the following error:</P><PRE>PAN01/admin# application start ise % Error: ISE Integrity Check Failed! One or more ISE program files appears to % be tampered with. Check system log for specific error(s). % Application failed to start</PRE><P>ISE Started without issue after rollback of the patch.</P> Thu, 16 Dec 2021 19:37:07 GMT https://community.cisco.com/t5/network-access-control/cscwa47133-ise-3-1-log4j-patch-availability/m-p/4519970#M571746 pkarelis 2021-12-16T19:37:07Z https://community.cisco.com/t5/network-access-control/cscwa47133-ise-3-1-log4j-patch-availability/m-p/4520207#M571762 <P>In fairness to Cisco, they did say that the patch was for ISE 2.4 through 3.0 - perhaps it's already fixed in ISE 3.1? Or they have not yet got around to fixing it. Or perhaps ISE 3.1 doesn't use this Apache library?&nbsp; Who knows.</P> <P>&nbsp;</P> <P>Nice try though <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 16 Dec 2021 21:46:19 GMT https://community.cisco.com/t5/network-access-control/cscwa47133-ise-3-1-log4j-patch-availability/m-p/4520207#M571762 Arne Bier 2021-12-16T21:46:19Z https://community.cisco.com/t5/network-access-control/cscwa47133-ise-3-1-log4j-patch-availability/m-p/4520272#M571768 <P><STRIKE>Raise a TAC Case.</STRIKE></P> <P>Latest update to the&nbsp;<A href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd" target="_self">Vulnerabilities in Apache Log4j Library Affecting Cisco Products</A> security bulletin (update 1.19) has stated hotfix for ISE 3.1 to be available on 17 December 2021.</P> Thu, 16 Dec 2021 23:14:49 GMT https://community.cisco.com/t5/network-access-control/cscwa47133-ise-3-1-log4j-patch-availability/m-p/4520272#M571768 Leo Laohoo 2021-12-16T23:14:49Z https://community.cisco.com/t5/network-access-control/cscwa47133-ise-3-1-log4j-patch-availability/m-p/4520786#M571798 <P>Getting pretty late in the day for the east coast here for a release of the patch for 3.1.&nbsp; Is this still expected today or should we be watching over the weekend?</P> Fri, 17 Dec 2021 21:33:40 GMT https://community.cisco.com/t5/network-access-control/cscwa47133-ise-3-1-log4j-patch-availability/m-p/4520786#M571798 rpmoyer93 2021-12-17T21:33:40Z https://community.cisco.com/t5/network-access-control/cscwa47133-ise-3-1-log4j-patch-availability/m-p/4520819#M571799 <BLOCKQUOTE><HR /><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/807029">@rpmoyer93</a>&nbsp;wrote:<BR /> <P>Getting pretty late in the day for the east coast here for a release of the patch for 3.1.&nbsp; Is this still expected today or should we be watching over the weekend?</P> <HR /></BLOCKQUOTE> <P>ISE 3.1 Patch 1 is now available and can be found <A href="https://software.cisco.com/download/home/283801620/type/283802505/release/log4j2-fix-3.1patch1" target="_self">HERE</A>.</P> <P>ISE 3.1 Patch 1 Release Notes can be found <A href="https://www.cisco.com/web/software/283802505/159629/README_Hotpatch_CSCwa47133_Log4j2-fix-3.1-Patch-1.txt" target="_self">HERE</A>.</P> <P><STRONG>NOTE</STRONG>:&nbsp; Applying ISE 3.1 Patch 1 will restart the services.</P> Sat, 18 Dec 2021 00:31:05 GMT https://community.cisco.com/t5/network-access-control/cscwa47133-ise-3-1-log4j-patch-availability/m-p/4520819#M571799 Leo Laohoo 2021-12-18T00:31:05Z https://community.cisco.com/t5/network-access-control/cscwa47133-ise-3-1-log4j-patch-availability/m-p/4524030#M571940 <P>What order should I use to patch my ise deployment w/ the log4j fix. Admin nodes, then mnt, then psn, etc...?</P> Mon, 27 Dec 2021 13:56:32 GMT https://community.cisco.com/t5/network-access-control/cscwa47133-ise-3-1-log4j-patch-availability/m-p/4524030#M571940 Thompso75401 2021-12-27T13:56:32Z https://community.cisco.com/t5/network-access-control/cscwa47133-ise-3-1-log4j-patch-availability/m-p/4524066#M571944 <P>&nbsp;</P> <P>&nbsp;- The order is not important , and or also check this thread :</P> <P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<A href="https://community.cisco.com/t5/network-access-control/log4j-hotfix-cscwa47133-ise-distributed-environment/m-p/4521609#M571847" target="_blank">https://community.cisco.com/t5/network-access-control/log4j-hotfix-cscwa47133-ise-distributed-environment/m-p/4521609#M571847</A></P> <P>&nbsp;M.</P> Mon, 27 Dec 2021 16:11:50 GMT https://community.cisco.com/t5/network-access-control/cscwa47133-ise-3-1-log4j-patch-availability/m-p/4524066#M571944 Mark Elsen 2021-12-27T16:11:50Z