topic Re: Security: CVE-2021-44228 -> Log4j 2 Vulnerability in Network Security

Security: CVE-2021-44228 -> Log4j 2 Vulnerability

amralrazzaz — Mon, 20 Dec 2021 15:49:56 GMT

Dear i have ASA-5516X device and cisco has defind that this device can be infected with the new recent vulnerability log4shall

i they just release hotfix to be added on ASA ftd device !

the work around is how to apply this hotfix or patched on my device

SO I HAVE 2 FTD devices (Cisco ASA5516-X Threat Defense) 1 running Version 6.6.1 (Build 91) and other one is Cisco ASA5516-X Threat Defense (75) Version 6.2.2 (Build 81) so please i need to know how can we fix this exploit ?

im running these devices managed by FDM NOT FMC ? PLEASE NEED ADVICE URGENT AND WHATS THE STEPS TO DO FOR THIS ?

according to this link https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa46963 they release hotfix and i need to know how to add it on my Cisco ASA5516-X Threat Defense (75)

Re: Security: CVE-2021-44228 -> Log4j 2 Vulnerability

Marvin Rhoads — Mon, 20 Dec 2021 16:17:09 GMT

You install hotfixes the same way you install other updates.

https://www.cisco.com/c/en/us/td/docs/security/firepower/hotfix/Firepower_Hotfix_Release_Notes/about-firepower-hotfixes.html

As I explained in the other thread related to this topic, the 6.4.0 hotfix (Cisco_FTD_Hotfix_EP-6.4.0.14-9.sh.REL.tar) only applies to Firepower 6.4.0.x software - not your 6.6.1 or 6.2.2 devices. Those are still pending the release of a hotfix as of 20 December 2021.

Re: Security: CVE-2021-44228 -> Log4j 2 Vulnerability

amralrazzaz — Tue, 21 Dec 2021 00:31:46 GMT

i can see now that cisco release hotfix for 6.6.5 and what im currently using is Cisco ASA5516-X Threat Defense (75) Version 6.6.1 (Build 91) and dunt know what do know ? actually i dont wanna go for upgrade ! dunt know if there ae any possible ways to keep this version and dunt know if the hotfix for 6.6.5 will be compatible with my version or what ?!!

is it just from FDM i can browse Cisco_FTD_Upgrade-6.6.5-81.sh.REL.tar via gui and then upgrade ? and thats it?

is the current configurations will be removed or shall get backup then restore again ?

need advice please???

Re: Security: CVE-2021-44228 -> Log4j 2 Vulnerability

amralrazzaz — Tue, 21 Dec 2021 00:25:08 GMT

@Marvin Rhoads

can you please give the steps to upgrade from 6.6.1 to 6.6.5 asn im already donwloaded Cisco_FTD_Upgrade-6.6.5-81.sh.REL.tar and i just need to know if i have to install also boot image and tftp using and install asa from scratch or its just like browse from fdm gui browse the tar file and upgrade ?

Re: Security: CVE-2021-44228 -> Log4j 2 Vulnerability

Marvin Rhoads — Tue, 21 Dec 2021 03:27:47 GMT

Many of the things you are asking are clearly explained in the online help that's available in FDM or the FMD configuration guide.

Please do your due diligence and at least check there before asking.

Re: Security: CVE-2021-44228 -> Log4j 2 Vulnerability

amralrazzaz — Tue, 21 Dec 2021 11:10:28 GMT

@Marvin Rhoads

im using Device is running Cisco ASA5516-X Threat Defense (75) Version 6.6.1 (Build 91) and need to upgrade to the steps on below:

update to 6.6.5
update to 6.6.5.1
install hotfix DA

Note: my ftd is running/managed on firepower device manager ? so shall i use this Cisco_FTD_Upgrade-6.6.5-81.sh.REL.tar for upload on device and upgrade !

Re: Security: CVE-2021-44228 -> Log4j 2 Vulnerability

Marvin Rhoads — Tue, 21 Dec 2021 12:46:06 GMT

Each of those upgrades has its own file which is clearly named on the downloads page.

Each one is installed the same way via FDM.

Install then in the order listed.

Re: Security: CVE-2021-44228 -> Log4j 2 Vulnerability

amralrazzaz — Tue, 21 Dec 2021 14:39:09 GMT

Dear i already installed the files in separated steps and now after hotfix has been installed and ftd reboot ? how do i make sure that hotfix has been installed ? is there any show commands to find this ?

my version now is :

Cisco Fire Linux OS v6.6.5 (build 13)
Cisco ASA5516-X Threat Defense v6.6.5.1 (build 15)

so need to know if hotfix already installed after i finished doing all steps!!!

Re: Security: CVE-2021-44228 -> Log4j 2 Vulnerability

amralrazzaz — Tue, 21 Dec 2021 14:48:28 GMT

@Marvin Rhoads Dear i had check the hotfix version after installed and this what i got and is that refer to what i installed recently ?

Cisco_FTD_Hotfix_DA-6.6.5.2-4.sh.REL.tar

6.6.1-91
6.6.5-81
6.6.5.1-15
Hotfix_DA-4__856373902

Re: Security: CVE-2021-44228 -> Log4j 2 Vulnerability

Marvin Rhoads — Tue, 21 Dec 2021 18:43:04 GMT

Read the release notes!

https://www.cisco.com/c/en/us/td/docs/security/firepower/hotfix/Firepower_Hotfix_Release_Notes/about-firepower-hotfixes.html

Verifying Hotfix Success

To verify that your hotfix installed successfully, access the Linux shell (also called expert mode) and run the following command:

cat /etc/sf/patch_history

The system lists all successful major upgrades, patches, hotfixes, and pre-install packages since the appliance was freshly installed.

Re: Security: CVE-2021-44228 -> Log4j 2 Vulnerability

Md Sakib Hossain — Tue, 21 Dec 2021 18:50:56 GMT

Yes, it is very helpful

Re: Security: CVE-2021-44228 -> Log4j 2 Vulnerability

amralrazzaz — Wed, 22 Dec 2021 00:10:27 GMT

@Marvin Rhoads

okay for i can see the version 6.2.3 hotfix release and i need to ask you :
i currently run Cisco ASA5516-X Threat Defense v6.2.3.3 (build 76) so shall use the hotfix
file directly (Cisco_FTD_Hotfix_EM-6.2.3.18-13.sh.REL.tar) or i have to run this (Cisco_FTD_Patch-6.2.3.17-30.sh.REL.tar)
then running the hotfix after ?

also this is what u currently running now :
6.2.2-81
6.2.3-83
6.2.3.3-76

Firepower Threat Defense Hotfix 6.2.3 EM
do not untar
Cisco_FTD_Hotfix_EM-6.2.3.18-13.sh.REL.tar
Advisories
20-Dec-2021
135.47 MB

Firepower Threat Defense Patch 6.2.3.17
do not untar
Cisco_FTD_Patch-6.2.3.17-30.sh.REL.tar

Re: Security: CVE-2021-44228 -> Log4j 2 Vulnerability

Marvin Rhoads — Wed, 22 Dec 2021 03:31:36 GMT

Upgrade to 6.2.3.17 first using Cisco_FTD_Patch-6.2.3.17-30.sh.REL.tar.

After that is successful add the hotfix Cisco_FTD_Hotfix_EM-6.2.3.18-13.sh.REL.tar

Re: Security: CVE-2021-44228 -> Log4j 2 Vulnerability

bcoverstone — Thu, 23 Dec 2021 18:35:26 GMT

This is key here people!!! I did not know about the patch_history.

The firmware version listed in the UI or even on the FXOS images scope will still show the old version!

I opened a TAC case because I did not know about the "patch_history" trick. You would think this would be in the UI.

I ended up verifying mine by running:

root@FTD:/# find . -name log4j*

./ngfw/var/cisco/ngfwWebUi/tomcat/webapps/ROOT/WEB-INF/lib/log4j-core-2.16.jar <-- the core file will be 2.3 pre hotfix and 2.16 post hotfix