cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

789
Views
0
Helpful
3
Replies
Highlighted
Beginner

Cisco ISE 2.3 patch for Apache Struts

 

Hello,

 

This month we see the following vulnerability:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-struts-commons-fileupload

Bug:  ISE Apache Struts CVE-2016-1000031 Vulnerability

Cisco Bug ID:  CSCvn17524

CVE:  CVE-2016-1000031

 

This is a new bug on an old vulnerability, which is noted as impacting all of the current Cisco ISE versions.  I see new patch #'s listed for 2.2, 2.4 and 2.5 - but nothing for 2.3.  Is there a patch 6 coming out for ISE Version 2.3 to correct this problem?

 

Background:

Summary

 

  • On November 5, 2018, the Apache Struts Team released a security announcement urging an upgrade of the Commons FileUpload library to version 1.3.3 on systems using Struts 2.3.36 or earlier releases. Systems using earlier versions of this library may be exposed to attacks that could allow execution of arbitrary code or modifications of files on the system. The issue is caused by a previously reported vulnerability of the Apache Commons FileUpload library, assigned to CVE-2016-1000031.

     

I've already read the following as well, and see it was successfully patched:

Bug:  Evaluation of positron for Struts remote code execution vulnerability August 2018

Cisco Bug ID:  CSCvm14030

CVE:  CVE-2018-11776

 

I see there is an add on patch to resolve this via a .tar file which needed to be ISE via an upload from a Repository when ISE 2.3 has Patch 4 installed, and then in the release notes it appears this was resolved as well within Patch 5.

 

Thanks,

-Jason

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: Cisco ISE 2.3 patch for Apache Struts

Jason,

 

We are aware of the problem and engineers are currently working on a fix.  Unfortunately, I cannot confirm the fix will make it into when it will be issued as part of a patch and what patch number that is.  The reason is because bug fixes in patches are fluid and can possibly change.

 

Regards,

-Tim

View solution in original post

3 REPLIES 3
Highlighted
Cisco Employee

Re: Cisco ISE 2.3 patch for Apache Struts

Jason,

 

We are aware of the problem and engineers are currently working on a fix.  Unfortunately, I cannot confirm the fix will make it into when it will be issued as part of a patch and what patch number that is.  The reason is because bug fixes in patches are fluid and can possibly change.

 

Regards,

-Tim

View solution in original post

Highlighted
Beginner

Re: Cisco ISE 2.3 patch for Apache Struts

Hi Jason,

 

On November 20, 2018, Cisco released a patch to fix this Apache Struts issue. 

 

https://software.cisco.com/download/home/283801620/type/283802505/release/Struts2-fix-2.0-2.4

 

The release notes do not state this BUT the download page does.  Make sure you have installed Patch 5 for ISE 2.3 prior to installing the hotfix.

 

Hope this helps,

 

Tim

 

 

 

Highlighted
Cisco Employee

Re: Cisco ISE 2.3 patch for Apache Struts

There is a separate readme

Description : Cisco Identity Services Engine Software Application bundle README file with instructions to install and rollback Apache Struts Commons FileUpload CVE-2016-1000031. This README is applicable to ISE 2.3 release.
Release : Struts2-fix-2.0-2.4
Release Date : 20-Nov-2018
FileName : CSCvn17524_23_P5_HotPatch_ReadMe