If you haven’t heard about Log4j vulnerability, then you must have been living under a rock for the past few weeks. Cisco was quick to release the hot patch for the ISE and you can download it from the usual Cisco download page. You need to download the following two files for versions 2.7 - 3.0
ise-apply-CSCwa47133_Ver_24_30_allpatches-SPA.tar.gz
ise-rollback-CSCwa47133_Ver_24_30_allpatches-SPA.tar.gz
There is already a pretty good guide about the installation which can be found here https://www.cisco.com/web/software/283802505/159582/README_Hotpatch_CSCwa47133_Log4j2-fix-2.4-3.0.txt
Installation
The process is extremely simple, you just need to run a single command. Please ensure that the hot patch file is already uploaded to your repository. During the installation, all the services will be restarted so, make sure to plan it accordingly. If you have a distributed deployment then the patch needs to be installed on every ISE node.
You can also rollback the hot patch installation by using the rollback
file.
ise-01/admin# show repository MY-FTP
ise-apply-CSCwa47133_Ver_24_30_allpatches-SPA.tar.gz
ise-rollback-CSCwa47133_Ver_24_30_allpatches-SPA.tar.gz
ise-01/admin# application install ise-apply-CSCwa47133_Ver_24_30_allpatches-SPA.tar.gz MY-FTP
Save the current ADE-OS running configuration? (yes/no) [yes] ?
Generating configuration...
Saved the ADE-OS running configuration to startup successfully
Getting bundle to local machine...
Unbundling Application Package...
Verifying Application Signature...
Initiating Application Install...
Checking if CSCwa47133_all_common_1 is already applied
- Successful
Applying hot patch CSCwa47133_all_common_1
Taking backup of file /opt/CSCOcpm/elasticsearch/lib/log4j-core-*.jar
Completed backup of file /opt/CSCOcpm/elasticsearch/lib/log4j-core-*.jar
- Running hotpatch wrapper script
Removing the vulnerable class file JndiLookup.class from log4j-core
restarting application
Hot patch applied successfully
job 1 at Wed Jan 5 19:43:00 2022
Application successfully installed
As you can see below, all the services were restarted during the installation.
ise-01/admin# show application status ise
ISE PROCESS NAME STATE PROCESS ID
--------------------------------------------------------------------
Database Listener running 19799
Database Server running 82 PROCESSES
Application Server not running
Profiler Database not running
ISE Indexing Engine not running
AD Connector not running
M&T Session Database not running
M&T Log Processor not running
Certificate Authority Service not running
EST Service not running
SXP Engine Service disabled
Docker Daemon not running
TC-NAC Service disabled
pxGrid Infrastructure Service disabled
pxGrid Publisher Subscriber Service disabled
pxGrid Connection Manager disabled
pxGrid Controller disabled
PassiveID WMI Service disabled
PassiveID Syslog Service disabled
PassiveID API Service disabled
PassiveID Agent Service disabled
PassiveID Endpoint Service disabled
PassiveID SPAN Service disabled
DHCP Server (dhcpd) disabled
DNS Server (named) disabled
ISE Messaging Service not running
ISE API Gateway Database Service not running
ISE API Gateway Service not running
Segmentation Policy Service disabled
REST Auth Service disabled
SSE Connector disabled
It took around 10 minutes for me but may take longer depending on your configuration.
Rollback
If you want to roll back for whatever reason, you just need to install the 'rollback' file.
application install ise-rollback-CSCwa47133_Ver_24_30_allpatches-SPA.tar.gz MY-FTP