Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2369
Views
15
Helpful
4
Replies

Log4j bug for ISE v2.1

Go to solution
network.abertis@dxc.com
Level 1
Level 1

‎12-20-2021 05:16 AM

I can see patch for this bug for ISE 2.4 to 3.1 (Log4j) but not for ISE versions 2.1.0, How can I patch it? or it's mandatory to upgrade to 2.4 before?

Thanks.Log4j

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎12-20-2021 05:27 AM

2.1 is ancient.  Unfortunately for your case here I am thinking you will need to upgrade to at least 2.4 in order for that hotfix to work.  Cisco doesnt support 2.1 any longer (see here: Cisco Identity Services Engine 2.1 - Cisco) HTH!

View solution in original post

4 Replies 4

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎12-20-2021 05:27 AM

2.1 is ancient.  Unfortunately for your case here I am thinking you will need to upgrade to at least 2.4 in order for that hotfix to work.  Cisco doesnt support 2.1 any longer (see here: Cisco Identity Services Engine 2.1 - Cisco) HTH!

Go to solution
network.abertis@dxc.com
Level 1
Level 1
In response to Mike.Cifelli

‎12-20-2021 05:48 AM

Thanks Mike, I will inform customer.

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎12-20-2021 09:29 AM - edited ‎12-20-2021 09:30 AM

This is a great opportunity to speak to the customer about upgrading to a release that is under support. Cisco did not evaluate ISE 2.3 or older for the log4j vulnerability due to the end of support milestone being reached. We are able to see from the open source package listing that ISE 2.1 does leverage log4j 1.x leaving it potentially vulnerable. 
https://www.cisco.com/c/dam/en/us/td/docs/security/ise/2-1/open_source/cisco_identity_services_engine_21.pdf

Both log4j 1.x and 2.x have discovered vulnerabilities, but this is the specific note for log4j 1.x. Not knowing how log4j 1.x is configured within ISE leaves the potential risk. 

Log4j 1.x mitigation

Log4j 1.x does not have Lookups so the risk is lower. Applications using Log4j 1.x are only vulnerable to this attack when they use JNDI in their configuration. A separate CVE (CVE-2021-4104) has been filed for this vulnerability. To mitigate: Audit your logging configuration to ensure it has no JMSAppender configured. Log4j 1.x configurations without JMSAppender are not impacted by this vulnerability.



The best course of action is to upgrade ISE. 

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame

‎12-20-2021 01:33 PM

Get the customer to talk to the Cisco AM/SE. 
If the customer is one of those very big customer (or someone who can "really" get Cisco to listen), then something "can be done".  

0 Helpful
Customers Also Viewed These Support Documents