Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1074
Views
5
Helpful
7
Replies

ISE Patch vs RHEL Patch

Go to solution
Joshua Turner
Cisco Employee
Cisco Employee

‎07-26-2018 08:35 AM

Customer needs to know what are the best practices for not only patching ISE itself, but the underlying RHEL kernel should there be a CVE that needs to be patched for RHEL by their Linux Admin. The understanding is that Cisco will not provide the RHEL patch, the customer Linux Admin would have to complete that task. How would the customer know if patching RHEL will break ISE itself. 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to Joshua Turner

‎07-26-2018 02:06 PM

From the TAC case notes, the customer's inquiry is fairly general. 

Chetankumar Phulpagare stated it correctly that the specific issues are handled by reporting, bug filing and other processes, and then reviewed by our engineering teams. ISE patches are possible if the solutions are more contained; otherwise, they might require upgrading a newer ISE release.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎07-26-2018 08:45 AM

Customer needs to work through TAC. All patching will be done by the ISE team. There is no way for customer to patch the system themselves.
0 Helpful

Go to solution
Joshua Turner
Cisco Employee
Cisco Employee
In response to Jason Kunst

‎07-26-2018 12:09 PM

Hey Jason,
Thanks for the reply. Here's what I got from TAC and ISE-PM

TAC: "Any RHEL vulnerabilities found would need to be patched by the Linux Admin and not via ISE patch."

ISE-PM: "We do not issue patches for Linux OS vulnerabilities. That would come from a Linux admin."

So this leaves the question, how can a customer patch the Linux OS without knowing if it will break ISE.
0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Joshua Turner

‎07-26-2018 12:59 PM

Please get me the info on who stated this.

ISE would only be patched by ISE developers. They are the only ones that have access to the appropriate files and systems to make it happen.

Please forward this to the TAC and PM. This is coming from technical marketing team
0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to Joshua Turner

‎07-26-2018 01:03 PM

Perhaps some mis-understanding. If possible, please share with me the TAC case number to take a look.

Some of OS changes are not patchable; e.g. CSCvg15984

0 Helpful

Go to solution
Joshua Turner
Cisco Employee
Cisco Employee
In response to hslai

‎07-26-2018 01:44 PM

TAC case 684817304
0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to Joshua Turner

‎07-26-2018 02:06 PM

From the TAC case notes, the customer's inquiry is fairly general. 

Chetankumar Phulpagare stated it correctly that the specific issues are handled by reporting, bug filing and other processes, and then reviewed by our engineering teams. ISE patches are possible if the solutions are more contained; otherwise, they might require upgrading a newer ISE release.
0 Helpful

Go to solution
Chetankumar Phulpagare
Cisco Employee
Cisco Employee

‎07-26-2018 09:38 AM

Similar situations have come in the past with OpenSSL vulnerabilities. The process for such situations is that Cisco PSIRT gets notified about third party vulnerabilities and they coordinate patch fix testing for Cisco application with respective BU. BU will track the fix using a bug ID and PSIRT with publish an advisory with all the details of when and what patch, in this case ISE patch, will have the fix for the vulnerability. 

 

Hope this helps!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents