cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

207
Views
5
Helpful
7
Replies
Highlighted
Cisco Employee

ISE Patch vs RHEL Patch

Customer needs to know what are the best practices for not only patching ISE itself, but the underlying RHEL kernel should there be a CVE that needs to be patched for RHEL by their Linux Admin. The understanding is that Cisco will not provide the RHEL patch, the customer Linux Admin would have to complete that task. How would the customer know if patching RHEL will break ISE itself. 

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: ISE Patch vs RHEL Patch

From the TAC case notes, the customer's inquiry is fairly general. 

Chetankumar Phulpagare stated it correctly that the specific issues are handled by reporting, bug filing and other processes, and then reviewed by our engineering teams. ISE patches are possible if the solutions are more contained; otherwise, they might require upgrading a newer ISE release.

View solution in original post

7 REPLIES 7
Highlighted
Cisco Employee

Re: ISE Patch vs RHEL Patch

Customer needs to work through TAC. All patching will be done by the ISE team. There is no way for customer to patch the system themselves.
Highlighted
Cisco Employee

Re: ISE Patch vs RHEL Patch

Hey Jason,
Thanks for the reply. Here's what I got from TAC and ISE-PM

TAC: "Any RHEL vulnerabilities found would need to be patched by the Linux Admin and not via ISE patch."

ISE-PM: "We do not issue patches for Linux OS vulnerabilities. That would come from a Linux admin."

So this leaves the question, how can a customer patch the Linux OS without knowing if it will break ISE.
Highlighted
Cisco Employee

Re: ISE Patch vs RHEL Patch

Please get me the info on who stated this.

ISE would only be patched by ISE developers. They are the only ones that have access to the appropriate files and systems to make it happen.

Please forward this to the TAC and PM. This is coming from technical marketing team
Highlighted
Cisco Employee

Re: ISE Patch vs RHEL Patch

Perhaps some mis-understanding. If possible, please share with me the TAC case number to take a look.

Some of OS changes are not patchable; e.g. CSCvg15984

Highlighted
Cisco Employee

Re: ISE Patch vs RHEL Patch

TAC case 684817304
Highlighted
Cisco Employee

Re: ISE Patch vs RHEL Patch

From the TAC case notes, the customer's inquiry is fairly general. 

Chetankumar Phulpagare stated it correctly that the specific issues are handled by reporting, bug filing and other processes, and then reviewed by our engineering teams. ISE patches are possible if the solutions are more contained; otherwise, they might require upgrading a newer ISE release.

View solution in original post

Highlighted
Cisco Employee

Re: ISE Patch vs RHEL Patch

Similar situations have come in the past with OpenSSL vulnerabilities. The process for such situations is that Cisco PSIRT gets notified about third party vulnerabilities and they coordinate patch fix testing for Cisco application with respective BU. BU will track the fix using a bug ID and PSIRT with publish an advisory with all the details of when and what patch, in this case ISE patch, will have the fix for the vulnerability. 

 

Hope this helps!