cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
22603
Views
95
Helpful
38
Replies

ISE 2.7.0.356

Hello, 

Could someone please advise which version of ISE is not affected by the log4j vulnerability?

What is the workaround if any ?

 

Cheers, 

Gan

 

1 Accepted Solution

Accepted Solutions

Hi @ganeshwaree.ramburruth ,

 use the following command:

ise/admin# application install ise-apply-CSCwa47133_Ver_24_30_allpatches-SPA.tar.gz LOCAL

Note: LOCAL is the name of my repository that points to disk:

repository LOCAL
url disk:/

I always prefer to put the patch on the disk:

ise/admin# dir
Directory of disk:/
...
4747 Dec 16 2021 05:56:27 ise-apply-CSCwa47133_Ver_24_30_allpatches-SPA.tar.gz
3413 Dec 16 2021 05:57:46 ise-rollback-CSCwa47133_Ver_24_30_allpatches-SPA.tar.gz
...

 

It took 10 to 15 min in a LAB environment.

 

Hope this helps !!!

View solution in original post

38 Replies 38

sumitagr
Cisco Employee
Cisco Employee

Only log4j versions 2.x.x are vulnerable. Apps using log4j 1.x.x are NOT vulnerable, so no action needs to be taken on applications using the older log4j versions.

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47133

I thought Apache foundation is to update all versions of log4j, as the no longer supported 1.x stream is open to this and others RCE exploits

Are you sure? I'm reading because 1.0 is no longer supported its also impacted.

Bit misleading as in CSCwa47133 it does not state that ISE is running older version, it also lists all versions from 2.6 to 3.1 as affected.

Do we know on which version of log4j ISE 2.7.0.356 is using? 

 

Hi @ganeshwaree.ramburruth ,

 please take a look at Cisco ISE 2.7 Release Notes, search for log4j.

 

Note: CSCvs66551 Multiple Vulnerabilities in apache log4j ... solved on 2.7 P5.

 

Hope this helps !!!

from here https://www.cisco.com/c/dam/en/us/td/docs/security/ise/2-7/open_source/IdentityServicesEngine27v10.pdf 

 

looks to be 2.11 (plus some older versions) 

 

that is .... if I am reading it right ... no guarantee of that 

Hi @Marcelo Morais ,

 

Thanks for the info. However the 2.7 version patch 5 is addressing an another vulnerability.

The new patch for this vulnerability will be in patch 7. 

OFFICIAL

So is the information listed in the Bug details not correct? Does the 3-patch4 fix this issue or not?
[cid:image001.png@01D7F0E4.62A5ED10]

This bug CSCvs66551 is for a vulnerability dated on the 2019  and it is not relevant.Bug Search Tool (cisco.com)

 

I dont believe it fixes the issue. If you go on this link Bug Search Tool (cisco.com), there is still no fixed release.