Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5005
Views
45
Helpful
6
Replies

CSCwa47133 - ISE 3.1 - Log4j Patch Availability?

Go to solution
pkarelis
Level 1
Level 1

‎12-16-2021 07:30 AM - edited ‎12-16-2021 11:37 AM

ISE 3.1 ( 3.001(000.518) a/k/a 3.1.0.518) is listed as vulnerable, and the current patch that is available is showing for ISE 2.4-3.0.  When will an ISE 3.1 patch become available?

 

Also, a public service announcement:  the 3.0 patch doesn't work on ISE 3.1 in case you get impatient like me. 

 

I attempted to install 2.4-3.0 patch on ISE 3.1, and the install worked, but ISE wouldn't start after the install with the following error:

PAN01/admin# application start ise
% Error: ISE Integrity Check Failed! One or more ISE program files appears to
%        be tampered with. Check system log for specific error(s).
% Application failed to start

ISE Started without issue after rollback of the patch.

2 people had this problem
1 Accepted Solution

Accepted Solutions

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame
In response to rpmoyer93

‎12-17-2021 04:25 PM - edited ‎12-17-2021 04:31 PM

@rpmoyer93 wrote:

Getting pretty late in the day for the east coast here for a release of the patch for 3.1.  Is this still expected today or should we be watching over the weekend?

ISE 3.1 Patch 1 is now available and can be found HERE.

ISE 3.1 Patch 1 Release Notes can be found HERE.

NOTE:  Applying ISE 3.1 Patch 1 will restart the services.

View solution in original post

6 Replies 6

Go to solution
Arne Bier
VIP
VIP

‎12-16-2021 01:46 PM

In fairness to Cisco, they did say that the patch was for ISE 2.4 through 3.0 - perhaps it's already fixed in ISE 3.1? Or they have not yet got around to fixing it. Or perhaps ISE 3.1 doesn't use this Apache library?  Who knows.

 

Nice try though

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame

‎12-16-2021 03:04 PM - edited ‎12-16-2021 03:14 PM

Raise a TAC Case.

Latest update to the Vulnerabilities in Apache Log4j Library Affecting Cisco Products security bulletin (update 1.19) has stated hotfix for ISE 3.1 to be available on 17 December 2021.

Go to solution
rpmoyer93
Level 1
Level 1

‎12-17-2021 01:33 PM

Getting pretty late in the day for the east coast here for a release of the patch for 3.1.  Is this still expected today or should we be watching over the weekend?

0 Helpful

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame
In response to rpmoyer93

‎12-17-2021 04:25 PM - edited ‎12-17-2021 04:31 PM

@rpmoyer93 wrote:

Getting pretty late in the day for the east coast here for a release of the patch for 3.1.  Is this still expected today or should we be watching over the weekend?

ISE 3.1 Patch 1 is now available and can be found HERE.

ISE 3.1 Patch 1 Release Notes can be found HERE.

NOTE:  Applying ISE 3.1 Patch 1 will restart the services.

Go to solution
Thompso75401
Level 1
Level 1

‎12-27-2021 05:56 AM

What order should I use to patch my ise deployment w/ the log4j fix. Admin nodes, then mnt, then psn, etc...?

Go to solution
marce1000
VIP
VIP
In response to Thompso75401

‎12-27-2021 08:11 AM

 

 - The order is not important , and or also check this thread :

           https://community.cisco.com/t5/network-access-control/log4j-hotfix-cscwa47133-ise-distributed-environment/m-p/4521609#M571847

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
Customers Also Viewed These Support Documents