Cisco ISE Log4j Patch Installation CSCwa47133

Cisco ISE Log4j Patch Installation CSCwa47133

If you haven’t heard about Log4j vulnerability, then you must have been living under a rock for the past few weeks. Cisco was quick to release the hot patch for the ISE and you can download it from the usual Cisco download page. You need to download the following two files for versions 2.7 - 3.0

ise-apply-CSCwa47133_Ver_24_30_allpatches-SPA.tar.gz
ise-rollback-CSCwa47133_Ver_24_30_allpatches-SPA.tar.gz
💡
There are two versions, one for ISE 2.4 - 3.0 (shown in this example) and another one for ISE 3.1. In case if you didn't know, ISE 2.3 and older versions are no longer supported by Cisco.

There is already a pretty good guide about the installation which can be found here https://www.cisco.com/web/software/283802505/159582/README_Hotpatch_CSCwa47133_Log4j2-fix-2.4-3.0.txt

Installation

The process is extremely simple, you just need to run a single command. Please ensure that the hot patch file is already uploaded to your repository. During the installation, all the services will be restarted so, make sure to plan it accordingly. If you have a distributed deployment then the patch needs to be installed on every ISE node.

You can also rollback the hot patch installation by using the rollback file.

ise-01/admin# show repository MY-FTP
ise-apply-CSCwa47133_Ver_24_30_allpatches-SPA.tar.gz
ise-rollback-CSCwa47133_Ver_24_30_allpatches-SPA.tar.gz
ise-01/admin# application install ise-apply-CSCwa47133_Ver_24_30_allpatches-SPA.tar.gz MY-FTP

Save the current ADE-OS running configuration? (yes/no) [yes] ?
Generating configuration...
Saved the ADE-OS running configuration to startup successfully

Getting bundle to local machine...
Unbundling Application Package...
Verifying Application Signature...
Initiating Application Install...

Checking if CSCwa47133_all_common_1 is already applied
  - Successful

Applying hot patch CSCwa47133_all_common_1
Taking backup of file /opt/CSCOcpm/elasticsearch/lib/log4j-core-*.jar
Completed backup of file /opt/CSCOcpm/elasticsearch/lib/log4j-core-*.jar
  - Running hotpatch wrapper script
Removing the vulnerable class file JndiLookup.class from log4j-core
restarting application
 
Hot patch applied successfully
job 1 at Wed Jan  5 19:43:00 2022

Application successfully installed

As you can see below, all the services were restarted during the installation.

ise-01/admin# show application status ise

ISE PROCESS NAME                       STATE            PROCESS ID  
--------------------------------------------------------------------
Database Listener                      running          19799       
Database Server                        running          82 PROCESSES
Application Server                     not running                  
Profiler Database                      not running                  
ISE Indexing Engine                    not running                  
AD Connector                           not running                  
M&T Session Database                   not running                  
M&T Log Processor                      not running                  
Certificate Authority Service          not running                  
EST Service                            not running                  
SXP Engine Service                     disabled                     
Docker Daemon                          not running                  
TC-NAC Service                         disabled        
pxGrid Infrastructure Service          disabled                     
pxGrid Publisher Subscriber Service    disabled                     
pxGrid Connection Manager              disabled                     
pxGrid Controller                      disabled                     
PassiveID WMI Service                  disabled                     
PassiveID Syslog Service               disabled                     
PassiveID API Service                  disabled                     
PassiveID Agent Service                disabled                     
PassiveID Endpoint Service             disabled                     
PassiveID SPAN Service                 disabled                     
DHCP Server (dhcpd)                    disabled                     
DNS Server (named)                     disabled                     
ISE Messaging Service                  not running                  
ISE API Gateway Database Service       not running                  
ISE API Gateway Service                not running                  
Segmentation Policy Service            disabled                     
REST Auth Service                      disabled                     
SSE Connector                          disabled                     

It took around 10 minutes for me but may take longer depending on your configuration.

Rollback

If you want to roll back for whatever reason, you just need to install the 'rollback' file.

application install ise-rollback-CSCwa47133_Ver_24_30_allpatches-SPA.tar.gz MY-FTP