Solved: Re: Cisco ISE hot patch log4j -CSCwa47133 - File not the correct forma - Page 2

seto_wai_hong · ‎12-16-2021

Cisco Identity Services Engine Software hot patch for the log4j PSIRT bug - CSCwa47133. Apply this hot patch for 2.4,2.6,2.7 and 3.0 patches.

Patch cannot installed. patch file is not in the correct format.

MatthewShaw4644 · ‎12-16-2021

I got it to work by running it from a local repo instead of the usual SFTP repo. No idea why that would matter but it did the trick for me. ISE 2.4.0.357

Arne Bier · ‎12-16-2021

I was able to install the patch on ISE 2.7 patch 6 using an FTP repo.

It applied just fine and after applications auto-restarted, all was good.

Interestingly, you can't easily see whether the hotfix is installed (show ver, show application or looking in the Patch Management GUI etc.)

I found it under show version history at the bottom of the output:

nac1/admin# show ver history
---------------------------------------------
Install Date: Tue Nov 30 00:07:03 UTC 2021
Application: ise
Version: 2.7.0.356
Install type: Application Install
Bundle filename: ise.tar.gz
Repository: SystemDefaultPkgRepos
---------------------------------------------
Install Date: Wed Dec  1 07:57:58 AEST 2021
Application: ise
Version: 6
Install type: Patch Install
Bundle filename: ise-patchbundle-2.7.0.356-Patch6-21110108.SPA.x86_64.tar.gz
Repository: tmplocalpatchinstallrepo
---------------------------------------------
Install Date: Fri Dec 17 13:16:17 AEST 2021
Application: Apply_CSCwa47133_all_common_1
Version: 1
Install type: Application Install
Bundle filename: ise-apply-CSCwa47133_Ver_24_30_allpatches-SPA.tar.gz
Repository: AD-01
---------------------------------------------
Install Date: Fri Dec 17 13:17:00 AEST 2021
Application: Apply_CSCwa47133_all_common_1
Version: 1
Install type: Application Remove
nac1/admin#

Naresh Ginjupalli · ‎12-19-2021

Release notes has all the details of installation and how to check the same.

=================================================
README for installing Hot Patch to fix CSCwa47133 
=================================================

This hot patch is to address CSCwa47133 (related to Apache Log4j2)

Download the following files from CCO.
                                                               
ise-apply-CSCwa47133_Ver_24_30_allpatches-SPA.tar.gz 
ise-rollback-CSCwa47133_Ver_24_30_allpatches-SPA.tar.gz 


Confirm that the hash of the downloaded files matches the ones listed on CCO.
Copy the files to repository which is reachable from ISE.
Configure the repository in ISE to start the installation process.

===================
Few important notes
===================

This is a generic fix and it can be installed on top of any patch of ISE 2.4, 2.6, 2.7 or 3.0 

This needs to be installed on every ISE node in a deployment.

===============
How to install 
===============

Login to ISE CLI
Invoke the following command to install the bundle which will apply the hot patch:

"application install ise-apply-CSCwa47133_Ver_24_30_allpatches-SPA.tar.gz <REPOSITORY_NAME>" 

=======================================================
How to Verify whether patch has installed successfully
=======================================================

Login to ISE CLI
Execute the command "show logging application hotpatch.log"
"CSCwa47133_all_common_1 => CSCwa47133" should be displayed. This confirms the hot patch is successfully installed.


===============
How to Rollback 
===============

(Note: This is only required if you need to remove the hot patch)

Login to ISE CLI
Invoke the following command to rollback the hot patch:

"application install ise-rollback-CSCwa47133_Ver_24_30_allpatches-SPA.tar.gz  <REPOSITORY_NAME>"

There is a different file for ISE 3.1 release.

michaeldodd98 · ‎12-20-2021

I had the exact same issue had to open a TAC case. My file was also 20kb. Same error. I also used FileZIlla. I redownloaded and used MacOS native FTP text based client, set to BIN format for the transfer, and lo and behold it was 5kb and installed fine.

The way you know you have a problem is if the file is 20kb also the MD5 hash will NOT match what is on Cisco's release notes/download page.

gmasters428 · ‎12-17-2021

A bit odd you can't install this patch via GUI due to the "incorrect file format" error.

Naresh Ginjupalli · ‎12-19-2021

Hot patch can only be installed from ISE CLI . The GUI install support for Hot patch is not yet available . The incorrect file format could be because of browser behavior while downloading the file from Cisco site. If you are using Chrome please try firefox and see if you are still encountering the issue.

Naresh Ginjupalli · ‎12-19-2021

This is known behaviour with Chrome Browser. Please use firefox or any other browser.

tim.mcdonald · ‎12-20-2021

I tried installing with the GUI from Firefox and did not have any success. I received the unsupported format message also.

Naresh Ginjupalli · ‎12-20-2021

Installing Hotpatch from GUI is not supported. Hot patch has to be installed only from CLI using the commands mentioned in Hotpatch release notes.

Cisco ISE hot patch log4j -CSCwa47133 - File not the correct format