Solved: ISE 2.7.0.356

ganeshwaree.ramburruth · ‎12-12-2021

Hello,

Could someone please advise which version of ISE is not affected by the log4j vulnerability?

What is the workaround if any ?

Cheers,

Gan

Marcelo Morais · ‎12-16-2021

Hi @ganeshwaree.ramburruth ,

use the following command:

ise/admin# application install ise-apply-CSCwa47133_Ver_24_30_allpatches-SPA.tar.gz LOCAL

Note: LOCAL is the name of my repository that points to disk:

repository LOCAL
  url disk:/

I always prefer to put the patch on the disk:

ise/admin# dir
 Directory of disk:/
 ...
 4747 Dec 16 2021 05:56:27 ise-apply-CSCwa47133_Ver_24_30_allpatches-SPA.tar.gz
 3413 Dec 16 2021 05:57:46 ise-rollback-CSCwa47133_Ver_24_30_allpatches-SPA.tar.gz
 ...

It took 10 to 15 min in a LAB environment.

Hope this helps !!!

View solution in original post

sumitagr · ‎12-12-2021

Only log4j versions 2.x.x are vulnerable. Apps using log4j 1.x.x are NOT vulnerable, so no action needs to be taken on applications using the older log4j versions.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47133

matt.w · ‎12-12-2021

I thought Apache foundation is to update all versions of log4j, as the no longer supported 1.x stream is open to this and others RCE exploits

Adam Hinchliff · ‎12-13-2021

Are you sure? I'm reading because 1.0 is no longer supported its also impacted.

AigarsK · ‎12-13-2021

Bit misleading as in CSCwa47133 it does not state that ISE is running older version, it also lists all versions from 2.6 to 3.1 as affected.

ganeshwaree.ramburruth · ‎12-13-2021

Do we know on which version of log4j ISE 2.7.0.356 is using?

Marcelo Morais · ‎12-13-2021

Hi @ganeshwaree.ramburruth ,

please take a look at Cisco ISE 2.7 Release Notes, search for log4j.

Note: CSCvs66551 Multiple Vulnerabilities in apache log4j ... solved on 2.7 P5.

Hope this helps !!!

u4mjac1975 · ‎12-16-2021

from here https://www.cisco.com/c/dam/en/us/td/docs/security/ise/2-7/open_source/IdentityServicesEngine27v10.pdf

looks to be 2.11 (plus some older versions)

that is .... if I am reading it right ... no guarantee of that

ganeshwaree.ramburruth · ‎12-13-2021

Hi @Marcelo Morais ,

Thanks for the info. However the 2.7 version patch 5 is addressing an another vulnerability.

The new patch for this vulnerability will be in patch 7.

matt.w · ‎12-13-2021

OFFICIAL

So is the information listed in the Bug details not correct? Does the 3-patch4 fix this issue or not?
[cid:image001.png@01D7F0E4.62A5ED10]

ganeshwaree.ramburruth · ‎12-13-2021

This bug CSCvs66551 is for a vulnerability dated on the 2019 and it is not relevant.Bug Search Tool (cisco.com)

I dont believe it fixes the issue. If you go on this link Bug Search Tool (cisco.com), there is still no fixed release.

matt.w · ‎12-13-2021

Ahh my bad, I saw it was updated today with patches listed against it...... thought it was the current issues.

Marcelo Morais · ‎12-15-2021

Hi @ganeshwaree.ramburruth ,

Cisco provided a Hot Patch for the log4j PSIRT bug - CSCwa47133.: ise-apply-CSCwa47133_Ver_24_30_allpatches-SPA.tar.gz (15-Dec-2021).

Hope this helps !!!

AigarsK · ‎12-16-2021

Thanks Marcelo,

I am already in process of applying it on my second node.

Out of interest, is someone able to confirm if this patch is going to be persistent, that is, if I am running ISE 2.7 Patch 4 as that is the highest version mention to be compatible with Cisco DNA Center 2.2.2.3 on 2.7 platform. If this later gets compatibility for Patch 6 and I install the patch, do I have to be concerned that this hotfix gets removed and needs to be reapplied?

Thanks in advance.

Marcelo Morais · ‎12-16-2021

Hi @AigarsK ,

I always prefer to rollback the Hot Patch before applying a regular ISE Patch release.

You are able to use the "show application" command to check the Hot Patch installation or the "show logging application hotpatch.log" to check if the Hot Patch was installed successfully.

Hope this helps !!!