Solved: ISE 2.7 patch 3 installed and log4j hot patch is applied.

MAGNUS SVENSSON · ‎01-11-2022

ISE 2.7 patch 3 installed and log4j hot patch is applied. If I install patch 6 , do I have to apply the log4j hot patch after that ?

balaji.bandi · ‎01-11-2022

yes as per i remember if any upgrade take place, the patch need to applied as per my understanding.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

balaji.bandi · ‎01-11-2022

yes as per i remember if any upgrade take place, the patch need to applied as per my understanding.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Marcelo Morais · ‎01-11-2022

Hi @MAGNUS SVENSSON ,

as @balaji.bandi said, the answer is Yes, but remember that usually it is recommended to rollback a Hot Patch before applying a regular ISE Patch release !!!

Hope this helps !!!

Darkmatter · ‎02-02-2022

I'm in the same boat as @MAGNUS SVENSSON.

Is there some official Cisco communication that confirms this how it should be done?

Marcelo Morais · ‎02-02-2022

Hi @Darkmatter ,

please take a look at: Cisco Secure Alert. and December Security Update Review.

Hope this helps !!!

Darkmatter · ‎02-02-2022

Thank you @Marcelo Morais , i'm well aware about Log4J. With all due respect, but the links you posted have nothing do with the procedure of how to properly patch your ISE if you had the Log4J Hotpatch installed.

So my question remains, where to find the official and exact Cisco procedure that clearly states which steps to take in order to correctly install my 2.7 patch 6.

Marcelo Morais · ‎02-03-2022

Hi @Darkmatter ,

no worries .

If you are talking about the step to step process to install log4j ... at ISE Software, search for Log4j2021, select you version, put you mouse at the filename and click the Release Notes (for ex.: README for installing Hot Patch to fix CSCwa47133).

If you are talking about ISE Patch installation, please take a look at: Patch Installation on ISE and FAQ during Installation.

Hope this helps !!!

Darkmatter · ‎02-04-2022

Hello @Marcelo Morais ,

I finally found an answer myself by Googling and ... landing back on the forum here, a post provided by a Cisco employee, but regarding an older hotpatch and ISE 2.2

https://community.cisco.com/t5/network-access-control/ise-2-2-patch-12-apache-struts-vulnerability/td-p/3774554

Don't know if this way of working is still valid or that this changed in the mean time.

So to be absolutely sure, i'm going to create a TAC case for this to get a definitive answer from Cisco.

Because if it's no clearly documented, you'll never be sure about this is the right or wrong way (with the possibility of breaking things if your are unlucky)

I'll revert back as soon as an answer on my TAC case is received!

Marcelo Morais · ‎02-04-2022

Hi @Darkmatter ,

glad to hear that.

Note: if you are looking for the HotPatch Rollback process, it is described on the link I provided before:

===============
How to Rollback 
===============

(Note: This is only required if you need to remove the hot patch)

Login to ISE CLI
Invoke the following command to rollback the hot patch:

"application install ise-rollback-CSCwa47133_Ver_24_30_allpatches-SPA.tar.gz  <REPOSITORY_NAME>"

Regards

Darkmatter · ‎02-15-2022

As per Cisco TAC where we had a case open to ask and confirm, log4j patch does not need to be uninstalled and you can patch directly.

Hope this helps!