cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
24142
Views
95
Helpful
38
Replies

ISE 2.7.0.356

Hello, 

Could someone please advise which version of ISE is not affected by the log4j vulnerability?

What is the workaround if any ?

 

Cheers, 

Gan

 

38 Replies 38

Thanks Marcelo for the advice.

Interesting Marcelo, thanks for sharing this.... I'm not sure I would have thought to do that.....

 

Is this approach specifically advised, or have you just learnt the hard way? 

 

 

Hi @u4mjac1975 ,

 when you asked me "Is this approach specifically advised, or have you just learnt the hard way? " ... rollback the Hot Patch before applying a regular ISE Patch release is a "mix of experiences"  (advised and hard way).

Note: specially when I installed a Summertime Hot Patch.

 

Regards

I can't speak specifically to ISE 2.7, but for v2.4 the documentation recommends that any applied hotfixes be removed prior to any patch installation.  I will tell you from experience that not following that recommendation can lead to very bad things.

 

Yes i am going to apply the hot fix. thanks.

DennisTX
Level 1
Level 1

Hi,

 

i just downloaded the small files (4 and 5 KB) and transfered them to my repo.

Before i´ll start the installation, i have a question:

Do i need to restart the ISE nodes after installation? Can´t find any information about this in the README file.

 

Regards,

Dennis

 

Hi @DennisTX ,

 during the Hot Patch installation, the Application Server restarts ... take a look at the following:

Note: remember to install the Hot Patch on all Nodes.

 

ise/admin# application install ise-apply-CSCwa47133_Ver_24_30_allpatches-SPA.tar.gz LOCAL
Save the current ADE-OS running configuration? (yes/no) [yes] ? yes
Generating configuration...
Saved the ADE-OS running configuration to startup successfully

Getting bundle to local machine...
Unbundling Application Package...
Verifying Application Signature...
Initiating Application Install...

Checking if CSCwa47133_all_common_1 is already applied
- Successful

Applying hot patch CSCwa47133_all_common_1
Taking backup of file /opt/CSCOcpm/elasticsearch/lib/log4j-core-*.jar
Completed backup of file /opt/CSCOcpm/elasticsearch/lib/log4j-core-*.jar
- Running hotpatch wrapper script
Removing the vulnerable class file JndiLookup.class from log4j-core
restarting application

Hot patch applied successfully
job 1 at Thu Dec 16 06:05:00 2021

Application successfully installed

 

ise/admin# show application
<name> <Description>
urt Cisco ISE - Upgrade Readiness Tool
Apply_CSCwa47133_all_common_1 Apply_CSCwa47133_all_common_1
ise Cisco Identity Services Engine
Patches: 2 3 5 6

 

Hope this helps !!!


@Marcelo Morais wrote:
ise/admin# show application
<name> <Description>
urt Cisco ISE - Upgrade Readiness Tool
Apply_CSCwa47133_all_common_1 Apply_CSCwa47133_all_common_1
ise Cisco Identity Services Engine
Patches: 2 3 5 6

How can I check that ise node has applied the patch ?

By executing show application command ? Or is there other way ?

 

If yes, then I have this question:

I have applied the patch successfully, but I do not see within applied patches at all.

So I have tried apply again with "already applied" result.

I reloaded the node and I do not still see log4j patch applied, but it tells me it is there.

 

Why is my expirience applying patch is diffrent from yours ?

 

ise01/sadmin# application install ise-apply-CSCwa47133_Ver_24_30_allpatches-SPA.tar.gz backup
Save the current ADE-OS running configuration? (yes/no) [yes] ? yes
Generating configuration...
Saved the ADE-OS running configuration to startup successfully

Getting bundle to local machine...
Unbundling Application Package...
Verifying Application Signature...
Initiating Application Install...
 
Checking if CSCwa47133_all_common_1 is already applied
  - Failed
  - CSCwa47133_all_common_1 is already applied
% Application install or upgrade cancelled.
ise01/sadmin# show application
<name>          <Description> 
ise             Cisco Identity Services Engine
                Patches: 3 6 

Login to ISE CLI
Execute the command "show logging application hotpatch.log"
"CSCwa47133_all_common_1 => CSCwa47133" should be displayed. This confirms the hot patch is successfully installed.

 

Yeah I know:

show logging application hotpatch.log
Wed Dec 22 17:50:32 CET 2021 => CSCwa47133_all_common_1 => CSCwa47133

 

But why it is not seen in show application output ?

In Marcelo Morais output we can see it.

Hi @stayd ,

 you are able to check the installation via:

ise/admin# show application 
<name> <Description>
urt Cisco ISE - Upgrade Readiness Tool
Apply_CSCwa47133_all_common_1 Apply_CSCwa47133_all_common_1
ise Cisco Identity Services Engine
Patches: 2 3 5 6

or

ise/admin# show version history 
...
---------------------------------------------
Install Date: Thu Dec 23 15:09:33 -03 2021
Application: Apply_CSCwa47133_all_common_1
Version: 1
Install type: Application Install
Bundle filename: ise-apply-CSCwa47133_Ver_24_30_allpatches-SPA.tar.gz
Repository: <repository name>

 

Hope this helps !!!


@Marcelo Morais wrote:

Hi @stayd ,

 you are able to check the installation via:

ise/admin# show version history 
...
---------------------------------------------
Install Date: Thu Dec 23 15:09:33 -03 2021
Application: Apply_CSCwa47133_all_common_1
Version: 1
Install type: Application Install
Bundle filename: ise-apply-CSCwa47133_Ver_24_30_allpatches-SPA.tar.gz
Repository: <repository name>

It is strange:

---------------------------------------------
Install Date: Wed Dec 22 17:50:32 CET 2021
Application: Apply_CSCwa47133_all_common_1
Version: 1
Install type: Application Install
Bundle filename: ise-apply-CSCwa47133_Ver_24_30_allpatches-SPA.tar.gz
Repository: backup
---------------------------------------------
Install Date: Wed Dec 22 17:51:00 CET 2021
Application: Apply_CSCwa47133_all_common_1
Version: 1
Install type: Application Remove

 

ise01/sadmin# show logging application hotpatch.log
Wed Dec 22 17:50:32 CET 2021 => CSCwa47133_all_common_1 => CSCwa47133

 

ise01/sadmin# show application
<name> <Description>
ise Cisco Identity Services Engine
Patches: 3 6

 

Initiating Application Install...
 
Checking if CSCwa47133_all_common_1 is already applied
  - Failed
  - CSCwa47133_all_common_1 is already applied
% Application install or upgrade cancelled.

 

So how do we read this all togheter?

Hi DennisTX,

During the installation of the HotFix, it does restart Cisco ISE Application Server, no full ISE restart required as much I can tell.

Nothing else was required apart from considerations on impact it might have on your deployment so that user authentication is not disrupted.

Thank you,

 

i´m trying to install the hotfix on our passive admin node.

But for now, it´s stuck at "building configuration" after saving the current ADE-OS running configuration for around 40 minutes. I guess this is too long.

 

System information:

SNS-3655-K9.

ISE: 2.7.0.356

ADE: 3.0.7.057

 

Any suggestions?

 

Regards,

Dennis

 

I have not started yet, but yes ISE does take a long time to upgrade.

Anyone who has already applied the hot fix, could you confirm the time taken?