11-19-2018 10:01 AM
Hello,
This month we see the following vulnerability:
Bug: ISE Apache Struts CVE-2016-1000031 Vulnerability
Cisco Bug ID: CSCvn17524
CVE: CVE-2016-1000031
This is a new bug on an old vulnerability, which is noted as impacting all of the current Cisco ISE versions. I see new patch #'s listed for 2.2, 2.4 and 2.5 - but nothing for 2.3. Is there a patch 6 coming out for ISE Version 2.3 to correct this problem?
Background:
On November 5, 2018, the Apache Struts Team released a security announcement urging an upgrade of the Commons FileUpload library to version 1.3.3 on systems using Struts 2.3.36 or earlier releases. Systems using earlier versions of this library may be exposed to attacks that could allow execution of arbitrary code or modifications of files on the system. The issue is caused by a previously reported vulnerability of the Apache Commons FileUpload library, assigned to CVE-2016-1000031.
I've already read the following as well, and see it was successfully patched:
Bug: Evaluation of positron for Struts remote code execution vulnerability August 2018
Cisco Bug ID: CSCvm14030
CVE: CVE-2018-11776
I see there is an add on patch to resolve this via a .tar file which needed to be ISE via an upload from a Repository when ISE 2.3 has Patch 4 installed, and then in the release notes it appears this was resolved as well within Patch 5.
Thanks,
-Jason
Solved! Go to Solution.
11-19-2018 10:16 AM
Jason,
We are aware of the problem and engineers are currently working on a fix. Unfortunately, I cannot confirm the fix will make it into when it will be issued as part of a patch and what patch number that is. The reason is because bug fixes in patches are fluid and can possibly change.
Regards,
-Tim
11-19-2018 10:16 AM
Jason,
We are aware of the problem and engineers are currently working on a fix. Unfortunately, I cannot confirm the fix will make it into when it will be issued as part of a patch and what patch number that is. The reason is because bug fixes in patches are fluid and can possibly change.
Regards,
-Tim
11-29-2018 07:31 PM
Hi Jason,
On November 20, 2018, Cisco released a patch to fix this Apache Struts issue.
https://software.cisco.com/download/home/283801620/type/283802505/release/Struts2-fix-2.0-2.4
The release notes do not state this BUT the download page does. Make sure you have installed Patch 5 for ISE 2.3 prior to installing the hotfix.
Hope this helps,
Tim
11-30-2018 06:31 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide