topic Re: ISE 3.0 Patch 5, does it require log4j hotfix? in Network Access Control

ISE 3.0 Patch 5, does it require log4j hotfix?

patoberli — Tue, 03 May 2022 08:35:35 GMT

Hi all

Basically the title says it all. Does ISE 3.0 Patch 5 still require the Log4j Hotfix? I'm asking because the release notes state CSCwa47133 as fixed, but neither the hotfix notes nor the bug notes have been updated in regards to Patch 5.

Thanks

Patrick

Re: ISE 3.0 Patch 5, does it require log4j hotfix?

balaji.bandi — Tue, 03 May 2022 08:52:09 GMT

as per i know yes it is required to patch.

Re: ISE 3.0 Patch 5, does it require log4j hotfix?

Mike.Cifelli — Tue, 03 May 2022 14:07:23 GMT

I agree with @balaji.bandi that it is required.

Additional links that should help:

Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021

CSCwa47133 : Bug Search Tool (cisco.com)

https://www.cisco.com/web/software/283802505/159582/README_Hotpatch_CSCwa47133_Log4j2-fix-2.4-3.0.txt

Re: ISE 3.0 Patch 5, does it require log4j hotfix?

patoberli — Tue, 03 May 2022 15:05:29 GMT

Thanks for your replies. Then it's not really nice that this Bug is listed as resolved with P5.

Re: ISE 3.0 Patch 5, does it require log4j hotfix?

Mark Elsen — Tue, 03 May 2022 15:22:41 GMT

- Indeed , but I too am near-sure that it (still) needs to be applied in your case (too). Of course one could look for exploit examples with the searching powers of the Net but that would indeed require some additional efforts.

Re: ISE 3.0 Patch 5, does it require log4j hotfix?

Marcelo Morais — Tue, 03 May 2022 22:55:07 GMT

Hi @patoberli ,

please take a look at: CSCwa47133 ISE Evaluation log4j CVE-2021-44228, ISE 3.0 P5 is a Known Fixed Released:

Also take a look at ISE 3.0 Release Notes.

IMO you are good and don't need to install the hotfix.

Hope this helps !!!

Re: ISE 3.0 Patch 5, does it require log4j hotfix?

patoberli — Wed, 04 May 2022 07:20:39 GMT

Also using exploits might damage the appliance, if still vulnerable. But I hope for the best that P5 indeed includes the patch (it was released some 3-4 months after the log4j patch).

Re: ISE 3.0 Patch 5, does it require log4j hotfix?

Mark Elsen — Wed, 04 May 2022 09:35:28 GMT

- That's a dilemma indeed, I don't want to be the always mr. right person. But here there are solutions too, such as importing or migrating/mapping an appliance to a virtual (VM)-copy and testing on a kind of isolated network. All that of course depends on how strong security requirements for the particular Intranet are.

- Or even installing a virgin ISE node with the particular ISE-version and testing on it.