cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
24625
Views
95
Helpful
38
Replies

ISE 2.7.0.356

Hello, 

Could someone please advise which version of ISE is not affected by the log4j vulnerability?

What is the workaround if any ?

 

Cheers, 

Gan

 

1 Accepted Solution

Accepted Solutions

Hi @ganeshwaree.ramburruth ,

 use the following command:

ise/admin# application install ise-apply-CSCwa47133_Ver_24_30_allpatches-SPA.tar.gz LOCAL

Note: LOCAL is the name of my repository that points to disk:

repository LOCAL
url disk:/

I always prefer to put the patch on the disk:

ise/admin# dir
Directory of disk:/
...
4747 Dec 16 2021 05:56:27 ise-apply-CSCwa47133_Ver_24_30_allpatches-SPA.tar.gz
3413 Dec 16 2021 05:57:46 ise-rollback-CSCwa47133_Ver_24_30_allpatches-SPA.tar.gz
...

 

It took 10 to 15 min in a LAB environment.

 

Hope this helps !!!

View solution in original post

38 Replies 38

sumitagr
Cisco Employee
Cisco Employee

Only log4j versions 2.x.x are vulnerable. Apps using log4j 1.x.x are NOT vulnerable, so no action needs to be taken on applications using the older log4j versions.

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47133

I thought Apache foundation is to update all versions of log4j, as the no longer supported 1.x stream is open to this and others RCE exploits

Are you sure? I'm reading because 1.0 is no longer supported its also impacted.

Bit misleading as in CSCwa47133 it does not state that ISE is running older version, it also lists all versions from 2.6 to 3.1 as affected.

Do we know on which version of log4j ISE 2.7.0.356 is using? 

 

Hi @ganeshwaree.ramburruth ,

 please take a look at Cisco ISE 2.7 Release Notes, search for log4j.

 

Note: CSCvs66551 Multiple Vulnerabilities in apache log4j ... solved on 2.7 P5.

 

Hope this helps !!!

from here https://www.cisco.com/c/dam/en/us/td/docs/security/ise/2-7/open_source/IdentityServicesEngine27v10.pdf 

 

looks to be 2.11 (plus some older versions) 

 

that is .... if I am reading it right ... no guarantee of that 

Hi @Marcelo Morais ,

 

Thanks for the info. However the 2.7 version patch 5 is addressing an another vulnerability.

The new patch for this vulnerability will be in patch 7. 

OFFICIAL

So is the information listed in the Bug details not correct? Does the 3-patch4 fix this issue or not?
[cid:image001.png@01D7F0E4.62A5ED10]

This bug CSCvs66551 is for a vulnerability dated on the 2019  and it is not relevant.Bug Search Tool (cisco.com)

 

I dont believe it fixes the issue. If you go on this link Bug Search Tool (cisco.com), there is still no fixed release. 

 

Ahh my bad, I saw it was updated today with patches listed against it...... thought it was the current issues.

Hi @ganeshwaree.ramburruth ,

 Cisco provided a Hot Patch for the log4j PSIRT bug - CSCwa47133.: ise-apply-CSCwa47133_Ver_24_30_allpatches-SPA.tar.gz (15-Dec-2021).

HotPatchCSCwa47133.png

 

Hope this helps !!!

Thanks Marcelo,

I am already in process of applying it on my second node.

Out of interest, is someone able to confirm if this patch is going to be persistent, that is, if I am running ISE 2.7 Patch 4 as that is the highest version mention to be compatible with Cisco DNA Center 2.2.2.3 on 2.7 platform. If this later gets compatibility for Patch 6 and I install the patch, do I have to be concerned that this hotfix gets removed and needs to be reapplied?

Thanks in advance.

Hi @AigarsK ,

 I always prefer to rollback the Hot Patch before applying a regular ISE Patch release.

 You are able to use the "show application" command to check the Hot Patch installation or the "show logging application hotpatch.log" to check if the Hot Patch was installed successfully.

 

Hope this helps !!!