Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1002
Views
0
Helpful
3
Replies
Highlighted
jason.erbe
Beginner
Beginner
‎11-19-2018 10:01 AM
‎11-19-2018 10:01 AM

Cisco ISE 2.3 patch for Apache Struts

 

Hello,

 

This month we see the following vulnerability:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-struts-commons-fileupload

Bug:  ISE Apache Struts CVE-2016-1000031 Vulnerability

Cisco Bug ID:  CSCvn17524

CVE:  CVE-2016-1000031

 

This is a new bug on an old vulnerability, which is noted as impacting all of the current Cisco ISE versions.  I see new patch #'s listed for 2.2, 2.4 and 2.5 - but nothing for 2.3.  Is there a patch 6 coming out for ISE Version 2.3 to correct this problem?

 

Background:

Summary

 

  • On November 5, 2018, the Apache Struts Team released a security announcement urging an upgrade of the Commons FileUpload library to version 1.3.3 on systems using Struts 2.3.36 or earlier releases. Systems using earlier versions of this library may be exposed to attacks that could allow execution of arbitrary code or modifications of files on the system. The issue is caused by a previously reported vulnerability of the Apache Commons FileUpload library, assigned to CVE-2016-1000031.

     

I've already read the following as well, and see it was successfully patched:

Bug:  Evaluation of positron for Struts remote code execution vulnerability August 2018

Cisco Bug ID:  CSCvm14030

CVE:  CVE-2018-11776

 

I see there is an add on patch to resolve this via a .tar file which needed to be ISE via an upload from a Repository when ISE 2.3 has Patch 4 installed, and then in the release notes it appears this was resolved as well within Patch 5.

 

Thanks,

-Jason

 

0 Helpful
Reply
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Timothy Abbott
Cisco Employee
Cisco Employee
‎11-19-2018 10:16 AM
‎11-19-2018 10:16 AM

Jason,

 

We are aware of the problem and engineers are currently working on a fix.  Unfortunately, I cannot confirm the fix will make it into when it will be issued as part of a patch and what patch number that is.  The reason is because bug fixes in patches are fluid and can possibly change.

 

Regards,

-Tim

View solution in original post

0 Helpful
Reply
3 REPLIES 3
Highlighted
Timothy Abbott
Cisco Employee
Cisco Employee
‎11-19-2018 10:16 AM
‎11-19-2018 10:16 AM

Jason,

 

We are aware of the problem and engineers are currently working on a fix.  Unfortunately, I cannot confirm the fix will make it into when it will be issued as part of a patch and what patch number that is.  The reason is because bug fixes in patches are fluid and can possibly change.

 

Regards,

-Tim

View solution in original post

0 Helpful
Reply
Highlighted
Tim Glen
Beginner
Beginner
‎11-29-2018 07:31 PM
‎11-29-2018 07:31 PM

Hi Jason,

 

On November 20, 2018, Cisco released a patch to fix this Apache Struts issue. 

 

https://software.cisco.com/download/home/283801620/type/283802505/release/Struts2-fix-2.0-2.4

 

The release notes do not state this BUT the download page does.  Make sure you have installed Patch 5 for ISE 2.3 prior to installing the hotfix.

 

Hope this helps,

 

Tim

 

 

 

0 Helpful
Reply
Highlighted
Jason Kunst
Cisco Employee
Cisco Employee
In response to Tim Glen
‎11-30-2018 06:31 AM
‎11-30-2018 06:31 AM

There is a separate readme

Description : Cisco Identity Services Engine Software Application bundle README file with instructions to install and rollback Apache Struts Commons FileUpload CVE-2016-1000031. This README is applicable to ISE 2.3 release.
Release : Struts2-fix-2.0-2.4
Release Date : 20-Nov-2018
FileName : CSCvn17524_23_P5_HotPatch_ReadMe

0 Helpful
Reply
Latest Contents
Bridge the security gap with Cisco Remote Secure Worker
Created by Kelli Glass on 02-26-2021 04:37 PM
0
0
0
0
More people are working remotely, and this increases the risk of security breaches and the difficulty in defending remote workers where they work and securing the devices they use. Learn about Cisco Remote Secure Worker solutions that verify workers, secu... view more
ISE Performance & Scale
Created by howon on 02-24-2021 08:26 PM
11
219
11
219
    ISE Node Terminology PAN MNT PSN PXG Policy Administration Node Monitoring & Troubleshooting Node Policy Services Node Platform Exchange Grid Node The single plane of glass for ISE administration and configuration operatio... view more
Detecting and Responding to the SolarWinds Infrastructure At...
Created by aligarci on 02-23-2021 08:19 AM
0
5
0
5
On December 8, FireEye reported that it had been compromised in a sophisticated supply chain attack: more specifically through the SolarWinds Orion IT monitoring and management software. The attackers leveraged business software updates in order to distr... view more
Arista CloudVision WiFi Dictionary and NAD Profile for ISE I...
Created by hslai on 02-21-2021 01:59 PM
0
10
0
10
Attached are the dictionary and NAD profile as described in Arista CloudVision WiFi Integration with Cisco ISE .
Cisco Secure Endpoint Free Trial Guide
Created by E.L. Howard on 02-15-2021 07:36 PM
0
0
0
0
  About this Document Cisco Secure Endpoint (formerly AMP for Endpoints) is a comprehensive Endpoint Security solution designed to function both as a stand-alone tool, and as a part of the architecture of natively integrated Cisco and 3rd par... view more
Content for Community-Ad