ISE OpenAPI Trusted Certificate upload fails due to malicious content

Johannes Botha · ‎10-23-2022

Hi

I've been testing some script againts ISE 3.2.0 OpenAPI to test the functionality and i found an issue in uploading a trusted certificate for Letsencrypt via the openapi. If i download the intermediate certificate from https://letsencrypt.org/certs/lets-encrypt-r3.pem and use the ise admin portal to upload it works 100%.

When i use the openapi to upload the certificate i get a security check failed.

I then download the next certificate in the chain for letsencrypt https://letsencrypt.org/certs/isrgrootx1.pem.

i use the same procedure and the upload is successfull.

The error in the log on ISE says something about malicious content in the certificate.

Anybody seen this or know of a solution.

At the end i want to have the certificate and deployment done all via a script.

You still need to enable ERS on the admin portal before you can start doing any script testing.

Added message from the logfile

2022-10-23 17:47:08,898 INFO [openapi-http-pool9][[]] cpm.iseopenapi.certmgmt.validators.CertMgmtSecurityValidator -::::- Inside certSecurityCheck, checking if certificate has been detected with Malicious content
2022-10-23 17:47:08,901 ERROR [openapi-http-pool9][[]] cpm.iseopenapi.certmgmt.validators.CertMgmtValidator -::::- Exception while validating request
com.cisco.cpm.admin.restui.websec.WebSecurityException: null
at com.cisco.cpm.admin.restui.websec.WebSecurityCheckerUtil.onBeanSecurityBreaches(WebSecurityCheckerUtil.java:512) ~[admin-rest-infra-3.2.0-542.jar:?]

2022-10-23 17:47:08,901 ERROR [openapi-http-pool9][[]] cpm.iseopenapi.certmgmt.validators.CertMgmtValidator -::::- Found Malicious content in request: [CN=R3,O=Let's Encrypt,C=US, CN=R3,O=Let's Encrypt,C=US]

2022-10-23 17:47:08,901 ERROR [openapi-http-pool9][[]] cpm.iseopenapi.certmgmt.validators.CertMgmtSecurityValidator -::::- Malicious content detected in Certificate Attributes

com.cisco.cpm.infrastructure.certmgmt.openapi.exception.CertMgmtAPIValidationFailedEx: Found malicious content in request
at com.cisco.cpm.iseopenapi.certmgmt.validators.CertMgmtValidator.checkReqSecurity(CertMgmtValidator.java:90) ~[certmgmt-oas-3.2.0-542.jar:?]

wordenj · ‎07-19-2025

Think i found the issue. The issue is that Cisco's web security pattern validator is detecting what it thinks is a potential SQL injection pattern in the certificate's subject field.

The specific problem is with this part of the certificate subject:

CN=R11,O=Let's Encrypt,C=US

The validator is triggering on the pattern Let's because it contains an apostrophe ('). The security pattern ((%3D)|(=))[^ ]*((%27)|(')|(--)|(%3B)|(;)) is looking for equals signs followed by apostrophes, which it interprets as a potential SQL injection attempt.

From the ISE logs:

2025-07-19 08:00:35,269 ERROR [webSec-5][[]] cpm.admin.restui.websec.PatternBasedAnalyzer -:::::- Value was found harmful by the pattern:com.cisco.cpm.admin.restui.websec.InsecurePattern:[meta] pattern:((%3D)|(=))[^ ]*((%27)|(')|(--)|(%3B)|(;)) action:Error value:CN=R11,O=Let's Encrypt,C=US parameter name:content exclusionTag:ValidationContent 2025-07-19 08:00:35,271 ERROR [openapi-http-pool3][[]] cpm.iseopenapi.certmgmt.validators.CertMgmtValidator -:::::- Exception while validating request com.cisco.cpm.admin.restui.websec.WebSecurityException: null.

Arne Bier · ‎07-19-2025

@wordenj - that's a great bit of research and I hope this has been reported to Cisco and a bug ID raised?

wordenj · ‎07-21-2025

I opened up a TAC case and waiting for an engineer. I'll repost with a Bug ID once I can get them to create it.