12-12-2021 07:59 PM
Hello,
Could someone please advise which version of ISE is not affected by the log4j vulnerability?
What is the workaround if any ?
Cheers,
Gan
Solved! Go to Solution.
12-16-2021 12:41 AM
Thanks Marcelo for the advice.
12-16-2021 10:29 AM
Interesting Marcelo, thanks for sharing this.... I'm not sure I would have thought to do that.....
Is this approach specifically advised, or have you just learnt the hard way?
12-18-2021 01:55 AM
Hi @u4mjac1975 ,
when you asked me "Is this approach specifically advised, or have you just learnt the hard way? " ... rollback the Hot Patch before applying a regular ISE Patch release is a "mix of experiences" (advised and hard way).
Note: specially when I installed a Summertime Hot Patch.
Regards
12-16-2021 08:28 AM
I can't speak specifically to ISE 2.7, but for v2.4 the documentation recommends that any applied hotfixes be removed prior to any patch installation. I will tell you from experience that not following that recommendation can lead to very bad things.
12-16-2021 02:01 AM
Yes i am going to apply the hot fix. thanks.
12-16-2021 12:48 AM
Hi,
i just downloaded the small files (4 and 5 KB) and transfered them to my repo.
Before i´ll start the installation, i have a question:
Do i need to restart the ISE nodes after installation? Can´t find any information about this in the README file.
Regards,
Dennis
12-16-2021 01:14 AM
Hi @DennisTX ,
during the Hot Patch installation, the Application Server restarts ... take a look at the following:
Note: remember to install the Hot Patch on all Nodes.
ise/admin# application install ise-apply-CSCwa47133_Ver_24_30_allpatches-SPA.tar.gz LOCAL
Save the current ADE-OS running configuration? (yes/no) [yes] ? yes
Generating configuration...
Saved the ADE-OS running configuration to startup successfully
Getting bundle to local machine...
Unbundling Application Package...
Verifying Application Signature...
Initiating Application Install...
Checking if CSCwa47133_all_common_1 is already applied
- Successful
Applying hot patch CSCwa47133_all_common_1
Taking backup of file /opt/CSCOcpm/elasticsearch/lib/log4j-core-*.jar
Completed backup of file /opt/CSCOcpm/elasticsearch/lib/log4j-core-*.jar
- Running hotpatch wrapper script
Removing the vulnerable class file JndiLookup.class from log4j-core
restarting application
Hot patch applied successfully
job 1 at Thu Dec 16 06:05:00 2021
Application successfully installed
ise/admin# show application
<name> <Description>
urt Cisco ISE - Upgrade Readiness Tool
Apply_CSCwa47133_all_common_1 Apply_CSCwa47133_all_common_1
ise Cisco Identity Services Engine
Patches: 2 3 5 6
Hope this helps !!!
12-23-2021 09:48 AM
@Marcelo Morais wrote:ise/admin# show application
<name> <Description>
urt Cisco ISE - Upgrade Readiness Tool
Apply_CSCwa47133_all_common_1 Apply_CSCwa47133_all_common_1
ise Cisco Identity Services Engine
Patches: 2 3 5 6
How can I check that ise node has applied the patch ?
By executing show application command ? Or is there other way ?
If yes, then I have this question:
I have applied the patch successfully, but I do not see within applied patches at all.
So I have tried apply again with "already applied" result.
I reloaded the node and I do not still see log4j patch applied, but it tells me it is there.
Why is my expirience applying patch is diffrent from yours ?
ise01/sadmin# application install ise-apply-CSCwa47133_Ver_24_30_allpatches-SPA.tar.gz backup Save the current ADE-OS running configuration? (yes/no) [yes] ? yes Generating configuration... Saved the ADE-OS running configuration to startup successfully Getting bundle to local machine... Unbundling Application Package... Verifying Application Signature... Initiating Application Install... Checking if CSCwa47133_all_common_1 is already applied - Failed - CSCwa47133_all_common_1 is already applied % Application install or upgrade cancelled. ise01/sadmin# show application <name> <Description> ise Cisco Identity Services Engine Patches: 3 6
12-23-2021 10:13 AM
12-23-2021 10:45 AM
Yeah I know:
show logging application hotpatch.log
Wed Dec 22 17:50:32 CET 2021 => CSCwa47133_all_common_1 => CSCwa47133
But why it is not seen in show application output ?
In Marcelo Morais output we can see it.
12-23-2021 10:14 AM
Hi @stayd ,
you are able to check the installation via:
ise/admin# show application
<name> <Description>
urt Cisco ISE - Upgrade Readiness Tool
Apply_CSCwa47133_all_common_1 Apply_CSCwa47133_all_common_1
ise Cisco Identity Services Engine
Patches: 2 3 5 6
or
ise/admin# show version history
...
---------------------------------------------
Install Date: Thu Dec 23 15:09:33 -03 2021
Application: Apply_CSCwa47133_all_common_1
Version: 1
Install type: Application Install
Bundle filename: ise-apply-CSCwa47133_Ver_24_30_allpatches-SPA.tar.gz
Repository: <repository name>
Hope this helps !!!
12-23-2021 10:50 AM - edited 12-23-2021 10:51 AM
@Marcelo Morais wrote:Hi @stayd ,
you are able to check the installation via:
ise/admin# show version history
...
---------------------------------------------
Install Date: Thu Dec 23 15:09:33 -03 2021
Application: Apply_CSCwa47133_all_common_1
Version: 1
Install type: Application Install
Bundle filename: ise-apply-CSCwa47133_Ver_24_30_allpatches-SPA.tar.gz
Repository: <repository name>
It is strange:
---------------------------------------------
Install Date: Wed Dec 22 17:50:32 CET 2021
Application: Apply_CSCwa47133_all_common_1
Version: 1
Install type: Application Install
Bundle filename: ise-apply-CSCwa47133_Ver_24_30_allpatches-SPA.tar.gz
Repository: backup
---------------------------------------------
Install Date: Wed Dec 22 17:51:00 CET 2021
Application: Apply_CSCwa47133_all_common_1
Version: 1
Install type: Application Remove
ise01/sadmin# show logging application hotpatch.log
Wed Dec 22 17:50:32 CET 2021 => CSCwa47133_all_common_1 => CSCwa47133
ise01/sadmin# show application
<name> <Description>
ise Cisco Identity Services Engine
Patches: 3 6
Initiating Application Install... Checking if CSCwa47133_all_common_1 is already applied - Failed - CSCwa47133_all_common_1 is already applied % Application install or upgrade cancelled.
So how do we read this all togheter?
12-16-2021 01:16 AM
Hi DennisTX,
During the installation of the HotFix, it does restart Cisco ISE Application Server, no full ISE restart required as much I can tell.
Nothing else was required apart from considerations on impact it might have on your deployment so that user authentication is not disrupted.
12-16-2021 02:07 AM
Thank you,
i´m trying to install the hotfix on our passive admin node.
But for now, it´s stuck at "building configuration" after saving the current ADE-OS running configuration for around 40 minutes. I guess this is too long.
System information:
SNS-3655-K9.
ISE: 2.7.0.356
ADE: 3.0.7.057
Any suggestions?
Regards,
Dennis
12-16-2021 02:12 AM
I have not started yet, but yes ISE does take a long time to upgrade.
Anyone who has already applied the hot fix, could you confirm the time taken?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: