If you haven’t heard about Log4j vulnerability, then you must have been living under a rock for the past few weeks. Cisco was quick to release the hot patch for the ISE and you can download it from the usual Cisco download page. You need to download the following two files for versions 2.7 - 3.0
There is already a pretty good guide about the installation which can be found here https://www.cisco.com/web/software/283802505/159582/README_Hotpatch_CSCwa47133_Log4j2-fix-2.4-3.0.txt
The process is extremely simple, you just need to run a single command. Please ensure that the hot patch file is already uploaded to your repository. During the installation, all the services will be restarted so, make sure to plan it accordingly. If you have a distributed deployment then the patch needs to be installed on every ISE node.
You can also rollback the hot patch installation by using the
ise-01/admin# show repository MY-FTP ise-apply-CSCwa47133_Ver_24_30_allpatches-SPA.tar.gz ise-rollback-CSCwa47133_Ver_24_30_allpatches-SPA.tar.gz
ise-01/admin# application install ise-apply-CSCwa47133_Ver_24_30_allpatches-SPA.tar.gz MY-FTP Save the current ADE-OS running configuration? (yes/no) [yes] ? Generating configuration... Saved the ADE-OS running configuration to startup successfully Getting bundle to local machine... Unbundling Application Package... Verifying Application Signature... Initiating Application Install... Checking if CSCwa47133_all_common_1 is already applied - Successful Applying hot patch CSCwa47133_all_common_1 Taking backup of file /opt/CSCOcpm/elasticsearch/lib/log4j-core-*.jar Completed backup of file /opt/CSCOcpm/elasticsearch/lib/log4j-core-*.jar - Running hotpatch wrapper script Removing the vulnerable class file JndiLookup.class from log4j-core restarting application Hot patch applied successfully job 1 at Wed Jan 5 19:43:00 2022 Application successfully installed
As you can see below, all the services were restarted during the installation.
ise-01/admin# show application status ise ISE PROCESS NAME STATE PROCESS ID -------------------------------------------------------------------- Database Listener running 19799 Database Server running 82 PROCESSES Application Server not running Profiler Database not running ISE Indexing Engine not running AD Connector not running M&T Session Database not running M&T Log Processor not running Certificate Authority Service not running EST Service not running SXP Engine Service disabled Docker Daemon not running TC-NAC Service disabled pxGrid Infrastructure Service disabled pxGrid Publisher Subscriber Service disabled pxGrid Connection Manager disabled pxGrid Controller disabled PassiveID WMI Service disabled PassiveID Syslog Service disabled PassiveID API Service disabled PassiveID Agent Service disabled PassiveID Endpoint Service disabled PassiveID SPAN Service disabled DHCP Server (dhcpd) disabled DNS Server (named) disabled ISE Messaging Service not running ISE API Gateway Database Service not running ISE API Gateway Service not running Segmentation Policy Service disabled REST Auth Service disabled SSE Connector disabled
It took around 10 minutes for me but may take longer depending on your configuration.
If you want to roll back for whatever reason, you just need to install the 'rollback' file.
application install ise-rollback-CSCwa47133_Ver_24_30_allpatches-SPA.tar.gz MY-FTP