You and me both Marvin ;)

If anyone applied the patch, especially to a deployment that has 8 or more nodes, please share the results. Much appreciated. 

---

@Ping Zhou wrote:

If anyone applied the patch, especially to a deployment that has 8 or more nodes, please share the results.

---

I'm with Marvin. I'm going to wait, for about four to six weeks, before doing anything. Y'know, "just in case".

7 Node deployment - no issues yet, other than context visibility is still borked but has been for the last several 2.x versions.

---

@hslai wrote:

ISE 2.4 Patch 2 Release is now available at Cisco Software Download for ISE 2.4. Resolved Caveats in Cisco ISE Release 2.4 - Cumulative Patch 2 has more info.

 

Update 2018-Aug-03: This Patch Release has been re-posted on 2018-Aug-02. The new bundle file name is

ise-patchbundle-2.4.0.357-Patch2-18080100.SPA.x86_64.tar.gz

 

Due to CSCvk57963, it replaces the previous posted bundle which has the filename ise-patchbundle-2.4.0.357-Patch2-18072612.SPA.x86_64.tar.gz.

---

Has anyone experienced any serious issues with their deployment since patch 2 release?   I'm also curious on how it behaves on a 6+ node deployment.  

---

@iseman-18 wrote:

Has anyone experienced any serious issues with their deployment since patch 2 release? I'm also curious on how it behaves on a 6+ node deployment.

---

I'd recommend hold off for now until Cisco release a new patch to fix the Apache Struts Remote Code Execution Vulnerability (August 2018).

Good call,  thank you.   When is the ETA for the next patch? 

---

@iseman-18 wrote:

Good call, thank you. When is the ETA for the next patch?

---

Struts v2 fix was released a few hours ago.  

Please let us know if the patch works. 

I applied the Struts v2 hotfix and it works fine.

Unless you really need that fix, I'd wait until it's rolled into the next 2.4 patch release - Patch 3 will probably be out later in September.

Hotfixes are generally recommended for customers with immediate concerns about the issue remedied by the hotfix. They are subject to a lesser set of regression testing than full patches and are typically deployed to fewer customer systems, giving us less "real world" deployments to provide potential feedback.

I think I have asked this question elsewhere on this Community before, but the answer wasn't 100% certain:  can we simply install patch 3 on a system that is running one or more hotfixes?   E.g, customer has ISE 2.4 patch 2 and wants Struts2 hotfix.  Then in September patch 3 comes along.  What happens if we simply install patch 3?  I cannot imaging putting customers through the pain of "rolling back" hotfix, with all the downtime involved, and then more downtime by installing patch 3.  Can someone please confirm

Patch installation should not require a hotfix rollback. Generally the Patch should include hotfixes that were publicly released prior to the patch. There may be corner cases where a hotfix was released after the code was frozen for final QA and publication/distribution to the CDN.

Special file publish hotfixes may be an exception to this rule but then they aren't publicly released.

When in doubt check the release notes when a new patch is released or open a TAC case to confirm.

Hello, it looks like patch 3 was released yesterday.   Cisco is moving fast!  Is it safe to deploy?  

@iseman-18 it's a bit too soon to tell after only 24 hours or so.

I can confirm that it installed fine on my lab server (VM) and a greenfield deployment I am doing just now (2 nodes on SNS-3515 appliances).

@iseman-18 Unless there is a production impacting bug you are actively trying to fix, it's probably best to let the patch soak for a week or two.  They obviously test patches prior to release, but it's next to impossible to account for every situation.  

P3 certainly arrived sooner than I thought it would.  Time to follow Marvins lead and throw it on the lab deployments.