Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4139
Views
0
Helpful
2
Replies

CSCwa47133 - Evaluation log4j CVE-2021-44228

Adam Hinchliff
Level 1
Level 1

‎12-13-2021 12:19 AM

Unfortunately we are running ISE1.3 (currently trying to migrate to 3.) before everyone lays into me about running unsupported version can Cisco comment if log4j 1.x.x is impacted and if they will offer a workaround.

Labels:
0 Helpful
2 Replies 2

Leo Laohoo
Hall of Fame
Hall of Fame

‎12-13-2021 12:53 AM

The list of affected products can be found here:  Vulnerability in Apache Log4j Library Affecting Cisco Products

I do not believe any products that are already end-of-support will be patched.

0 Helpful

bearman97
Level 1
Level 1

‎12-13-2021 07:50 AM - edited ‎12-14-2021 01:52 PM

While log4j 1.x is not explicitly listed as not affected, the announcements I've seen have stated that log4j2 >= 2.0-Beta9 and <= 2.14.1 are affected.

Apache's announcement is currently at logging.apache.org/log4j/2.x/security.html

 

Update Dec 14:  Apache has updated their announcement to explicitly state that log4j v1.x is NOT affected.

They also mention that log4j v2.15 does NOT fix the vulnerability in non-default configurations; v2.16 is required to fully remediate.  I imagine that has some developers/testers groaning as they have to patch and restart testing again.

 

 

0 Helpful
Customers Also Viewed These Support Documents