topic Re: ISE 2.7 patch 3 installed and log4j hot patch is applied. in Network Access Control

ISE 2.7 patch 3 installed and log4j hot patch is applied.

MAGNUS SVENSSON — Tue, 11 Jan 2022 08:47:47 GMT

ISE 2.7 patch 3 installed and log4j hot patch is applied. If I install patch 6 , do I have to apply the log4j hot patch after that ?

Re: ISE 2.7 patch 3 installed and log4j hot patch is applied.

balaji.bandi — Tue, 11 Jan 2022 09:39:27 GMT

yes as per i remember if any upgrade take place, the patch need to applied as per my understanding.

Re: ISE 2.7 patch 3 installed and log4j hot patch is applied.

Marcelo Morais — Tue, 11 Jan 2022 12:09:22 GMT

Hi @MAGNUS SVENSSON ,

as @balaji.bandi said, the answer is Yes, but remember that usually it is recommended to rollback a Hot Patch before applying a regular ISE Patch release !!!

Hope this helps !!!

Re: ISE 2.7 patch 3 installed and log4j hot patch is applied.

Darkmatter — Wed, 02 Feb 2022 15:30:12 GMT

I'm in the same boat as @MAGNUS SVENSSON.

Is there some official Cisco communication that confirms this how it should be done?

Re: ISE 2.7 patch 3 installed and log4j hot patch is applied.

Marcelo Morais — Wed, 02 Feb 2022 18:37:16 GMT

Hi @Darkmatter ,

please take a look at: Cisco Secure Alert. and December Security Update Review.

Hope this helps !!!

Re: ISE 2.7 patch 3 installed and log4j hot patch is applied.

Darkmatter — Thu, 03 Feb 2022 07:57:59 GMT

Thank you @Marcelo Morais , i'm well aware about Log4J. With all due respect, but the links you posted have nothing do with the procedure of how to properly patch your ISE if you had the Log4J Hotpatch installed.

So my question remains, where to find the official and exact Cisco procedure that clearly states which steps to take in order to correctly install my 2.7 patch 6.

Re: ISE 2.7 patch 3 installed and log4j hot patch is applied.

Marcelo Morais — Thu, 03 Feb 2022 20:15:33 GMT

Hi @Darkmatter ,

no worries .

If you are talking about the step to step process to install log4j ... at ISE Software, search for Log4j2021, select you version, put you mouse at the filename and click the Release Notes (for ex.: README for installing Hot Patch to fix CSCwa47133).

If you are talking about ISE Patch installation, please take a look at: Patch Installation on ISE and FAQ during Installation.

Hope this helps !!!

Re: ISE 2.7 patch 3 installed and log4j hot patch is applied.

Darkmatter — Fri, 04 Feb 2022 15:20:50 GMT

Hello @Marcelo Morais ,

I finally found an answer myself by Googling and ... landing back on the forum here, a post provided by a Cisco employee, but regarding an older hotpatch and ISE 2.2

https://community.cisco.com/t5/network-access-control/ise-2-2-patch-12-apache-struts-vulnerability/td-p/3774554

Don't know if this way of working is still valid or that this changed in the mean time.

So to be absolutely sure, i'm going to create a TAC case for this to get a definitive answer from Cisco.

Because if it's no clearly documented, you'll never be sure about this is the right or wrong way (with the possibility of breaking things if your are unlucky)

I'll revert back as soon as an answer on my TAC case is received!

Re: ISE 2.7 patch 3 installed and log4j hot patch is applied.

Marcelo Morais — Fri, 04 Feb 2022 21:10:13 GMT

Hi @Darkmatter ,

glad to hear that.

Note: if you are looking for the HotPatch Rollback process, it is described on the link I provided before:

===============
How to Rollback 
===============

(Note: This is only required if you need to remove the hot patch)

Login to ISE CLI
Invoke the following command to rollback the hot patch:

"application install ise-rollback-CSCwa47133_Ver_24_30_allpatches-SPA.tar.gz  <REPOSITORY_NAME>"

Regards

Re: ISE 2.7 patch 3 installed and log4j hot patch is applied.

Darkmatter — Tue, 15 Feb 2022 16:32:13 GMT

As per Cisco TAC where we had a case open to ask and confirm, log4j patch does not need to be uninstalled and you can patch directly.

Hope this helps!