Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1620
Views
0
Helpful
3
Replies

Cisco ISE 2.3 patch for Apache Struts

Go to solution
jason.erbe
Level 1
Level 1

‎11-19-2018 10:01 AM

 

Hello,

 

This month we see the following vulnerability:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-struts-commons-fileupload

Bug:  ISE Apache Struts CVE-2016-1000031 Vulnerability

Cisco Bug ID:  CSCvn17524

CVE:  CVE-2016-1000031

 

This is a new bug on an old vulnerability, which is noted as impacting all of the current Cisco ISE versions.  I see new patch #'s listed for 2.2, 2.4 and 2.5 - but nothing for 2.3.  Is there a patch 6 coming out for ISE Version 2.3 to correct this problem?

 

Background:

Summary

 

  • On November 5, 2018, the Apache Struts Team released a security announcement urging an upgrade of the Commons FileUpload library to version 1.3.3 on systems using Struts 2.3.36 or earlier releases. Systems using earlier versions of this library may be exposed to attacks that could allow execution of arbitrary code or modifications of files on the system. The issue is caused by a previously reported vulnerability of the Apache Commons FileUpload library, assigned to CVE-2016-1000031.

     

I've already read the following as well, and see it was successfully patched:

Bug:  Evaluation of positron for Struts remote code execution vulnerability August 2018

Cisco Bug ID:  CSCvm14030

CVE:  CVE-2018-11776

 

I see there is an add on patch to resolve this via a .tar file which needed to be ISE via an upload from a Repository when ISE 2.3 has Patch 4 installed, and then in the release notes it appears this was resolved as well within Patch 5.

 

Thanks,

-Jason

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎11-19-2018 10:16 AM

Jason,

 

We are aware of the problem and engineers are currently working on a fix.  Unfortunately, I cannot confirm the fix will make it into when it will be issued as part of a patch and what patch number that is.  The reason is because bug fixes in patches are fluid and can possibly change.

 

Regards,

-Tim

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎11-19-2018 10:16 AM

Jason,

 

We are aware of the problem and engineers are currently working on a fix.  Unfortunately, I cannot confirm the fix will make it into when it will be issued as part of a patch and what patch number that is.  The reason is because bug fixes in patches are fluid and can possibly change.

 

Regards,

-Tim

0 Helpful

Go to solution
Tim Glen
Cisco Employee
Cisco Employee

‎11-29-2018 07:31 PM

Hi Jason,

 

On November 20, 2018, Cisco released a patch to fix this Apache Struts issue. 

 

https://software.cisco.com/download/home/283801620/type/283802505/release/Struts2-fix-2.0-2.4

 

The release notes do not state this BUT the download page does.  Make sure you have installed Patch 5 for ISE 2.3 prior to installing the hotfix.

 

Hope this helps,

 

Tim

 

 

 

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Tim Glen

‎11-30-2018 06:31 AM

There is a separate readme

Description : Cisco Identity Services Engine Software Application bundle README file with instructions to install and rollback Apache Struts Commons FileUpload CVE-2016-1000031. This README is applicable to ISE 2.3 release.
Release : Struts2-fix-2.0-2.4
Release Date : 20-Nov-2018
FileName : CSCvn17524_23_P5_HotPatch_ReadMe

0 Helpful
Customers Also Viewed These Support Documents