This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
Hello,
This month we see the following vulnerability:
Bug: ISE Apache Struts CVE-2016-1000031 Vulnerability
Cisco Bug ID: CSCvn17524
CVE: CVE-2016-1000031
This is a new bug on an old vulnerability, which is noted as impacting all of the current Cisco ISE versions. I see new patch #'s listed for 2.2, 2.4 and 2.5 - but nothing for 2.3. Is there a patch 6 coming out for ISE Version 2.3 to correct this problem?
Background:
On November 5, 2018, the Apache Struts Team released a security announcement urging an upgrade of the Commons FileUpload library to version 1.3.3 on systems using Struts 2.3.36 or earlier releases. Systems using earlier versions of this library may be exposed to attacks that could allow execution of arbitrary code or modifications of files on the system. The issue is caused by a previously reported vulnerability of the Apache Commons FileUpload library, assigned to CVE-2016-1000031.
I've already read the following as well, and see it was successfully patched:
Bug: Evaluation of positron for Struts remote code execution vulnerability August 2018
Cisco Bug ID: CSCvm14030
CVE: CVE-2018-11776
I see there is an add on patch to resolve this via a .tar file which needed to be ISE via an upload from a Repository when ISE 2.3 has Patch 4 installed, and then in the release notes it appears this was resolved as well within Patch 5.
Thanks,
-Jason
Solved! Go to Solution.
Jason,
We are aware of the problem and engineers are currently working on a fix. Unfortunately, I cannot confirm the fix will make it into when it will be issued as part of a patch and what patch number that is. The reason is because bug fixes in patches are fluid and can possibly change.
Regards,
-Tim
Jason,
We are aware of the problem and engineers are currently working on a fix. Unfortunately, I cannot confirm the fix will make it into when it will be issued as part of a patch and what patch number that is. The reason is because bug fixes in patches are fluid and can possibly change.
Regards,
-Tim
Hi Jason,
On November 20, 2018, Cisco released a patch to fix this Apache Struts issue.
https://software.cisco.com/download/home/283801620/type/283802505/release/Struts2-fix-2.0-2.4
The release notes do not state this BUT the download page does. Make sure you have installed Patch 5 for ISE 2.3 prior to installing the hotfix.
Hope this helps,
Tim