05-03-2022 01:35 AM
Hi all
Basically the title says it all. Does ISE 3.0 Patch 5 still require the Log4j Hotfix? I'm asking because the release notes state CSCwa47133 as fixed, but neither the hotfix notes nor the bug notes have been updated in regards to Patch 5.
Thanks
Patrick
05-03-2022 01:52 AM
as per i know yes it is required to patch.
05-03-2022 07:07 AM
I agree with @balaji.bandi that it is required.
Additional links that should help:
Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021
CSCwa47133 : Bug Search Tool (cisco.com)
05-03-2022 08:05 AM
Thanks for your replies. Then it's not really nice that this Bug is listed as resolved with P5.
05-03-2022 08:22 AM
- Indeed , but I too am near-sure that it (still) needs to be applied in your case (too). Of course one could look for exploit examples with the searching powers of the Net but that would indeed require some additional efforts.
M.
05-04-2022 12:20 AM
Also using exploits might damage the appliance, if still vulnerable. But I hope for the best that P5 indeed includes the patch (it was released some 3-4 months after the log4j patch).
05-04-2022 02:14 AM - edited 05-04-2022 02:35 AM
- That's a dilemma indeed, I don't want to be the always mr. right person. But here there are solutions too, such as importing or migrating/mapping an appliance to a virtual (VM)-copy and testing on a kind of isolated network. All that of course depends on how strong security requirements for the particular Intranet are.
- Or even installing a virgin ISE node with the particular ISE-version and testing on it.
M.
05-03-2022 03:55 PM
Hi @patoberli ,
please take a look at: CSCwa47133 ISE Evaluation log4j CVE-2021-44228, ISE 3.0 P5 is a Known Fixed Released:
Also take a look at ISE 3.0 Release Notes.
IMO you are good and don't need to install the hotfix.
Hope this helps !!!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: