Solved: Re: ISE 2.7.0.356 - Page 2

ganeshwaree.ramburruth · ‎12-12-2021

Hello,

Could someone please advise which version of ISE is not affected by the log4j vulnerability?

What is the workaround if any ?

Cheers,

Gan

AigarsK · ‎12-16-2021

Thanks Marcelo for the advice.

u4mjac1975 · ‎12-16-2021

Interesting Marcelo, thanks for sharing this.... I'm not sure I would have thought to do that.....

Is this approach specifically advised, or have you just learnt the hard way?

Marcelo Morais · ‎12-18-2021

Hi @u4mjac1975 ,

when you asked me "Is this approach specifically advised, or have you just learnt the hard way? " ... rollback the Hot Patch before applying a regular ISE Patch release is a "mix of experiences" (advised and hard way).

Note: specially when I installed a Summertime Hot Patch.

Regards

bearman97 · ‎12-16-2021

I can't speak specifically to ISE 2.7, but for v2.4 the documentation recommends that any applied hotfixes be removed prior to any patch installation. I will tell you from experience that not following that recommendation can lead to very bad things.

ganeshwaree.ramburruth · ‎12-16-2021

Yes i am going to apply the hot fix. thanks.

DennisTX · ‎12-16-2021

Hi,

i just downloaded the small files (4 and 5 KB) and transfered them to my repo.

Before i´ll start the installation, i have a question:

Do i need to restart the ISE nodes after installation? Can´t find any information about this in the README file.

Regards,

Dennis

Marcelo Morais · ‎12-16-2021

Hi @DennisTX ,

during the Hot Patch installation, the Application Server restarts ... take a look at the following:

Note: remember to install the Hot Patch on all Nodes.

ise/admin# application install ise-apply-CSCwa47133_Ver_24_30_allpatches-SPA.tar.gz LOCAL
Save the current ADE-OS running configuration? (yes/no) [yes] ? yes
Generating configuration...
Saved the ADE-OS running configuration to startup successfully

Getting bundle to local machine...
Unbundling Application Package...
Verifying Application Signature...
Initiating Application Install...

Checking if CSCwa47133_all_common_1 is already applied
- Successful

Applying hot patch CSCwa47133_all_common_1
Taking backup of file /opt/CSCOcpm/elasticsearch/lib/log4j-core-*.jar
Completed backup of file /opt/CSCOcpm/elasticsearch/lib/log4j-core-*.jar
- Running hotpatch wrapper script
Removing the vulnerable class file JndiLookup.class from log4j-core
restarting application

Hot patch applied successfully
job 1 at Thu Dec 16 06:05:00 2021

Application successfully installed

ise/admin# show application
<name> <Description> 
urt Cisco ISE - Upgrade Readiness Tool
Apply_CSCwa47133_all_common_1 Apply_CSCwa47133_all_common_1
ise Cisco Identity Services Engine
Patches: 2 3 5 6

Hope this helps !!!

stayd · ‎12-23-2021

@Marcelo Morais wrote:

ise/admin# show application
<name> <Description> 
urt Cisco ISE - Upgrade Readiness Tool
Apply_CSCwa47133_all_common_1 Apply_CSCwa47133_all_common_1
ise Cisco Identity Services Engine
Patches: 2 3 5 6

How can I check that ise node has applied the patch ?

By executing show application command ? Or is there other way ?

If yes, then I have this question:

I have applied the patch successfully, but I do not see within applied patches at all.

So I have tried apply again with "already applied" result.

I reloaded the node and I do not still see log4j patch applied, but it tells me it is there.

Why is my expirience applying patch is diffrent from yours ?

ise01/sadmin# application install ise-apply-CSCwa47133_Ver_24_30_allpatches-SPA.tar.gz backup
Save the current ADE-OS running configuration? (yes/no) [yes] ? yes
Generating configuration...
Saved the ADE-OS running configuration to startup successfully

Getting bundle to local machine...
Unbundling Application Package...
Verifying Application Signature...
Initiating Application Install...
 
Checking if CSCwa47133_all_common_1 is already applied
  - Failed
  - CSCwa47133_all_common_1 is already applied
% Application install or upgrade cancelled.
ise01/sadmin# show application
<name>          <Description> 
ise             Cisco Identity Services Engine
                Patches: 3 6

Damien Miller · ‎12-23-2021

Login to ISE CLI
Execute the command "show logging application hotpatch.log"
"CSCwa47133_all_common_1 => CSCwa47133" should be displayed. This confirms the hot patch is successfully installed.

stayd · ‎12-23-2021

Yeah I know:

show logging application hotpatch.log
Wed Dec 22 17:50:32 CET 2021 => CSCwa47133_all_common_1 => CSCwa47133

But why it is not seen in show application output ?

In Marcelo Morais output we can see it.

Marcelo Morais · ‎12-23-2021

Hi @stayd ,

you are able to check the installation via:

ise/admin# show application 
<name> <Description> 
urt Cisco ISE - Upgrade Readiness Tool
Apply_CSCwa47133_all_common_1 Apply_CSCwa47133_all_common_1
ise Cisco Identity Services Engine
Patches: 2 3 5 6

or

ise/admin# show version history 
...
---------------------------------------------
Install Date: Thu Dec 23 15:09:33 -03 2021 
Application: Apply_CSCwa47133_all_common_1 
Version: 1 
Install type: Application Install 
Bundle filename: ise-apply-CSCwa47133_Ver_24_30_allpatches-SPA.tar.gz 
Repository: <repository name>

Hope this helps !!!

stayd · ‎12-23-2021

@Marcelo Morais wrote:

Hi @stayd ,

you are able to check the installation via:

ise/admin# show version history 
...
---------------------------------------------
Install Date: Thu Dec 23 15:09:33 -03 2021 
Application: Apply_CSCwa47133_all_common_1 
Version: 1 
Install type: Application Install 
Bundle filename: ise-apply-CSCwa47133_Ver_24_30_allpatches-SPA.tar.gz 
Repository: <repository name>

It is strange:

---------------------------------------------
Install Date: Wed Dec 22 17:50:32 CET 2021
Application: Apply_CSCwa47133_all_common_1
Version: 1
Install type: Application Install
Bundle filename: ise-apply-CSCwa47133_Ver_24_30_allpatches-SPA.tar.gz
Repository: backup
---------------------------------------------
Install Date: Wed Dec 22 17:51:00 CET 2021
Application: Apply_CSCwa47133_all_common_1
Version: 1
Install type: Application Remove

ise01/sadmin# show logging application hotpatch.log
Wed Dec 22 17:50:32 CET 2021 => CSCwa47133_all_common_1 => CSCwa47133

ise01/sadmin# show application
<name> <Description>
ise Cisco Identity Services Engine
Patches: 3 6

Initiating Application Install...
 
Checking if CSCwa47133_all_common_1 is already applied
  - Failed
  - CSCwa47133_all_common_1 is already applied
% Application install or upgrade cancelled.

So how do we read this all togheter?

AigarsK · ‎12-16-2021

Hi DennisTX,

During the installation of the HotFix, it does restart Cisco ISE Application Server, no full ISE restart required as much I can tell.

Nothing else was required apart from considerations on impact it might have on your deployment so that user authentication is not disrupted.

DennisTX · ‎12-16-2021

Thank you,

i´m trying to install the hotfix on our passive admin node.

But for now, it´s stuck at "building configuration" after saving the current ADE-OS running configuration for around 40 minutes. I guess this is too long.

System information:

SNS-3655-K9.

ISE: 2.7.0.356

ADE: 3.0.7.057

Any suggestions?

Regards,

Dennis

ganeshwaree.ramburruth · ‎12-16-2021

I have not started yet, but yes ISE does take a long time to upgrade.

Anyone who has already applied the hot fix, could you confirm the time taken?