Re: Cisco ISE 2.7 Patch upgrade

alinbabyy · ‎03-04-2022

Hi All - Currently we are running on ISE v2.7 patch 3 and due the latest RADIUS vulnerability need perform a patch upgrade to 6 or 7. Did anyone here installed patch 7 on ISE 2.7 version. Please let me know if any issues are reported and is it recommended to go for patch 7 or patch 6?

balaji.bandi · ‎03-04-2022

read the release notes and caveats of patch 7:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/release_notes/b_ise_27_RN.html#id_82860

you can install the patch with the below documents help :

https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/upgrade_guide/Upgrade_Journey/HTML/b_upgrade_install_patch_2_7.html

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/215406-patch-installation-on-ise-and-faq-durin.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

alinbabyy · ‎03-04-2022

I have gone through this. But there is no confirmation that the vulnerability (CVE-2022-20756) is fixed in patch 7. Also considering that patch 7 was released very recently and open & resolved caveats in patch 6 and 7 i am trying to figure out which patch would be the best option.

Marcelo Morais · ‎03-04-2022

Hi @alinbabyy ,

ISE 2.7 P6 is a good patch, using it for the last 3 months.

ISE 2.7 P7 was released on Mar 2nd, still testing in a LAB.

Hope this helps !!!

balaji.bandi · ‎03-04-2022

My Environment we are using stable patch 6 with 2.7 and ISE 3.0 patch 4 i guess

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

alinbabyy · ‎03-04-2022

Hi @Marcelo Morais and @balaji.bandi - thanks for the response. Have you observed any bugs in patch 6 so far? Because i could see many resolved caveats in patch 7.

balaji.bandi · ‎03-05-2022

Not really impacting one we see, but it all depends on the features you using and the kind of deployment.

If you really concerned, worth opening a TAC, they can suggest you look at your deployment and config.

Some bugs you may encounter as cisco TAC said they fixed, so we need to bear that in mind, and you have the option to roll back patches.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

alinbabyy · ‎03-05-2022

Okay. Thanks.

Marcelo Morais · ‎03-05-2022

Hi @alinbabyy ,

for 2.7 P6 I`m using RADIUS (no TACACS+), the bugs that I observed are related to:

. RBAC Policy

. CSCwa19573 - Catalina.out file is huge because of SSL audit events (solved on 2.7 P7) ... this one I opened a TAC Case months ago to solve the issue

. CSCwa47133 - ISE Evaluation log4j CVE-2021-44228 (solved on 2.7 P7) ... this one I applied a Hot Patch.

Hope this helps !!!

alinbabyy · ‎03-05-2022

What was the symptoms for the bug related to RBAC? Was that causing any impact in production?

Marcelo Morais · ‎03-05-2022

Hi @alinbabyy ,

please take a look at this post Access Right in ISE.

Hope this helps !!!

imanv · ‎03-05-2022

Currently I have Cisco ISE 2.7 patch 6 and all features working fine.

Log4j bug also patched with Cisco instruction here :

https://www.cisco.com/web/software/283802505/159582/README_Hotpatch_CSCwa47133_Log4j2-fix-2.4-3.0.txt

Janne K. · ‎03-18-2022

Went on our 2.7 install with patch 3 to patch 7 two weeks ago, and everything runs smoothly.