cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
13461
Views
20
Helpful
8
Replies
Kundan Prasad
Beginner

Cisco ISE : CSCwa47133 - Evaluation log4j CVE-2021-44228

Hello Experts !


I see that the Cisco ISE has been added to the Vulnerable products from Products under investigation.
Will there be any problem on Cisco ISE due to this so called log4j ?

8 REPLIES 8
Leo L
VIP Community Legend

The list of affected products can be found here:  Vulnerability in Apache Log4j Library Affecting Cisco Products

Fixes are not yet out.  

patoberli
VIP Advisor

Probably yes. So you need to make sure that your ISE gets patched as quickly as possible, once a patch is out. I do hope for a workaround alternatively. I can't tell you how bad this is, but I guess if you have the guest-portal active, that any person reaching this portal can take over the ISE (in the worst case). 

avi
Beginner
Beginner

Fix for the Log4J vulnerability is now available for Version 2.4, 2.6, 2.7, 3.0. you can get by your CCO ID.

https://software.cisco.com/download/home/283801620/type/283802505/release/Log4j2-fix-2.4-3.0?catid=268438162

 

 

We are version 2.0 of the ISE model SNS-3415.

 

2.0 version not support patching to resolve vulnerabilities?

Leo L
VIP Community Legend


@Louis-B wrote:

2.0 version not support patching to resolve vulnerabilities?


No, it does not. 

sdfgdfgfddfdfgdf
Beginner

I see the patch for ISE 2.4 was released on 17th December.

 

But looking at the timeline in the advisory, log4j version 2.16 has since been disclosed as vulnerable on 18th December.

 

Anyone know if this means we are waiting for another patch to be released?

answering my own question;

I just found the patch removes the JndiLookup class from the classpath, which also satisfies the fix in 2.17 for CVE-2021-45046

No need to patch again, yet

Omar Santos
Cisco Employee

Hello,

 

I noticed this thread and wanted to provide additional details about the impact of the Log4j RCE (Log4Shell) Vulnerability in Cisco Identity Services Engine (ISE) and other Cisco products.

 

Cisco released hotfixes that address this vulnerability in December 2021. The hotfix completely removes the JndiLookup.class from the code. In addition, Log4j will be upgraded to 2.17.0 in the next release Cisco ISE software.

 

Refer to the following FAQ for additional information about the hotfixes and affected ISE versions:
https://www.cisco.com/c/dam/en/us/products/se/2021/12/Collateral/ise-log4j-faq.pdf 

 

The Cisco Event Response page includes additional frequently asked questions about the investigation of all Cisco products and services: https://tools.cisco.com/security/center/resources/prod_svc_info_log4j.html 

 

The Cisco Security Advisory includes the list of all Cisco products affected and is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd 

 

Hope this helps!