Log4j Vulnerability Hot Patch Installation on

Cisco ISE v2.4 - 3.0

Dec 16, 2021

1.0

Cisco Systems, Inc.

Corporate Headquarters
170 West Tasman Drive
San Jose, CA 95134-1706 USA
http://www.cisco.com
Tel: 408 526-4000 Toll Free: 800 553-NETS (6387)
Fax: 408 526-4100

Cisco Highly Confidential. All printed copies and duplicate soft copies are considered uncontrolled
and the original online version should be referred to for the latest version.
Contents
CONTENTS ................................................................................................................................................. 2
ABOUT THIS DOCUMENT ............................................................................................................................ 3
HISTORY ..................................................................................................................................................................3
REVIEW ...................................................................................................................................................................3
DOCUMENT CONVENTIONS .........................................................................................................................................3
1 INTRODUCTION ....................................................................................................................................... 4
1.1 AUDIENCE ..........................................................................................................................................................4
1.2 DOCUMENT PURPOSE ..........................................................................................................................................4
2 LOG4J VULNERABILITY: REFERENCE LINKS FOR ISE .................................................................................... 5
3 INSTALLATION & ROLLBACK ..................................................................................................................... 6
3.1 HOT PATCH INSTALLATION STEPS ...........................................................................................................................6
3.2 ROLLBACK STEPS .................................................................................................................................................7
4 FAQ’S ...................................................................................................................................................... 9
TRADEMARKS AND DISCLAIMERS ............................................................................................................. 10
DOCUMENT ACCEPTANCE ........................................................................................................................ 11

16 December 2021
Cisco Highly Confidential. All printed copies and duplicate soft copies are considered uncontrolled
and the original online version should be referred to for the latest version.
Page 2 of 11
About This Document
Rendered by Sadashiv Palde
Change Authority Cisco Systems

History
Manually maintained document history:
Version Date Status Reason for Change

1.0 Dec 16, 2021 Final

Review
Manually maintained review history:
Version Reviewer's Detail Review Date

Document Conventions
Tip
Time saver. Expedite the task by following the recommendation being described.

Info
Alerts reader that the information will help them solve a problem or better understand the
subject being described.

Note
Alerts readers to be careful. You might do something that could negatively impact a solution,
project, equipment or the quality of the work being described.

Warning
Alerts readers of a situation that could cause injury or severely impact a solution, project,
equipment or the quality of the work being described.

16 December 2021
Cisco Highly Confidential. All printed copies and duplicate soft copies are considered uncontrolled
and the original online version should be referred to for the latest version.
Page 3 of 11
 1 Introduction

1.1 Audience
This document is intended for Cisco Identity Services Engine (ISE) Team.

1.2 Document Purpose

This document provides a step-by-step procedure for installing the hot patch released by Cisco for ISE
servers, in light of the recent Log4j vulnerability. This document is being provided as a quick reference
for the immediate measure that needs to be taken by customers to secure the Cisco Identity Services
Engine, with the help of the hot patch.

Note
Do note that this hot patch is applicable only for ISE versions 2.4-3.0 (running base version or with
any patch installed).

16 December 2021
Cisco Highly Confidential. All printed copies and duplicate soft copies are considered uncontrolled
and the original online version should be referred to for the latest version.
Page 4 of 11
2 Log4j Vulnerability: Reference links for ISE
1. Security Advisory released by Cisco for the Apache Log4j Library:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-
qRuKNEbd

2. This log4j CVE-2021-44228 Vulnerability is tracked through the following BUG ID for ISE:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47133

3. Cisco has released hot patch available for this PSIRT, this can be downloaded from Cisco
download site. Link below:
https://software.cisco.com/download/home/283801620/type/283802505/release/Log4j2-fix-
2.4-3.0

4. This is general patch for all releases through 2.4 to 3.0. The following README file has the
instructions about installation, process, and rollback:
https://www.cisco.com/web/software/283802505/159582/README_Hotpatch_CSCwa47133_
Log4j2-fix-2.4-3.0.txt

5. Customer’s having ISE deployments in their environment will have to plan and apply this hot
patch on all ISE nodes to fix the critical vulnerability.

6. Hot Patch should be installed on ALL ISE nodes in deployment one by one.

16 December 2021
Cisco Highly Confidential. All printed copies and duplicate soft copies are considered uncontrolled
and the original online version should be referred to for the latest version.
Page 5 of 11
3 Installation & Rollback

3.1 Hot Patch Installation Steps

1. Copy the downloaded files to FTP/SFTP Server.

Info
All steps after this need to be carried out on all ISE Servers via CLI.

2. Validate the files are present is FTP/SFTP Repository by issuing the below command on ISE
CLI.

ise/admin# show repository Test-FTP

ise-apply-CSCwa47133_Ver_24_30_allpatches-SPA.tar.gz
ise-rollback-CSCwa47133_Ver_24_30_allpatches-SPA.tar.gz
ise/admin#

3. Create local repository on ISE Server via CLI.

Warning
Repositories configured from CLI cannot be used from the ISE web UI and are not replicated to
other ISE nodes. If this repository is not created in the ISE web UI, it will be deleted when ISE
services restart.

ise/admin# conf t
Enter configuration commands, one per line. End with CNTL/Z.
ise/admin(config)# repository local
ise/admin(config-Repository)# url disk:/
% Warning: Repositories configured from CLI cannot be used from the ISE web UI and are
not replicated to other ISE nodes. If this repository is not created in the ISE web UI,
it will be deleted when ISE services restart.
ise/admin(config-Repository)#exit
ise/admin(config)#exit
ise/admin#

4. Copy the installable file and rollback file to ISE local disk using below command and validate
the same.

ise/admin# copy ftp://10.106.33.250/ise-apply-CSCwa47133_Ver_24_30_allpatches-

SPA.tar.gz disk:
Username: admin
Password:
ise/admin#
ise/admin# copy ftp://10.106.33.250/ise-rollback-CSCwa47133_Ver_24_30_allpatches-
SPA.tar.gz disk:
Username: admin
Password:
ise/admin# show repository local
ise-apply-CSCwa47133_Ver_24_30_allpatches-SPA.tar.gz
ise-rollback-CSCwa47133_Ver_24_30_allpatches-SPA.tar.gz
ise/admin#

5. Install the Hot Patch using below command. Services will restart during the installation process.

16 December 2021
Cisco Highly Confidential. All printed copies and duplicate soft copies are considered uncontrolled
and the original online version should be referred to for the latest version.
Page 6 of 11
 ise/admin# application install ise-apply-CSCwa47133_Ver_24_30_allpatches-SPA.tar.gz
local
Save the current ADE-OS running configuration? (yes/no) [yes] ? yes
Generating configuration...
Saved the ADE-OS running configuration to startup successfully

Getting bundle to local machine...

Unbundling Application Package...
Verifying Application Signature...
Initiating Application Install...

Checking if CSCwa47133_all_common_1 is already applied

- Successful

Applying hot patch CSCwa47133_all_common_1

Taking backup of file /opt/CSCOcpm/elasticsearch/lib/log4j-core-*.jar
Completed backup of file /opt/CSCOcpm/elasticsearch/lib/log4j-core-*.jar
- Running hotpatch wrapper script
Removing the vulnerable class file JndiLookup.class from log4j-core
restarting application

Hot patch applied successfully

job 4 at Fri Dec 17 12:24:00 2021

Application successfully installed

ise/admin#

6. Verify whether patch has installed successfully.

ise/admin# show logging application hotpatch.log

Wed Feb 20 19:34:35 IST 2019 => CSCvi43687_2.4.0.357_HDFC_1 =>
CSCvn79569,CSCvn92528,CSCvi43687,CSCvn22251,CSCvj05563,CSCvn36029
Mon Nov 11 18:16:41 IST 2019 => CSCvp06218_2.4.0.357_patch9
Tue Jan 7 20:03:44 IST 2020 => CSCvq39759_2.4.0.357_patch9
Wed Feb 12 23:10:14 IST 2020 => CSCvs53148_2.4.0.357_patch11
Mon Aug 16 15:26:02 IST 2021 => CSCvy94427_2.7.0.356_patch4
Fri Dec 17 12:23:47 IST 2021 => CSCwa47133_all_common_1 => CSCwa47133
ise/admin#

"CSCwa47133_all_common_1 => CSCwa47133" should be displayed. This confirms the hot

patch is successfully installed.

3.2 Rollback Steps

1. Rollback the hot patch using below command.

ise/admin# application install ise-rollback-CSCwa47133_Ver_24_30_allpatches-SPA.tar.gz

local
Save the current ADE-OS running configuration? (yes/no) [yes] ? yes
Generating configuration...
Saved the ADE-OS running configuration to startup successfully

Getting bundle to local machine...

Unbundling Application Package...
Verifying Application Signature...
Initiating Application Install...

16 December 2021
Cisco Highly Confidential. All printed copies and duplicate soft copies are considered uncontrolled
and the original online version should be referred to for the latest version.
Page 7 of 11
 Checking if CSCwa47133_all_common_1 is applied
- Successful

Checking if rollback script exists

- Successful

Rollingback hot patch CSCwa47133_all_common_1

- Rolling back patch related files
Copying backup jar log4j-core-*.jar to /opt/CSCOcpm/elasticsearch/lib/log4j-core-*.jar
Completed copying backup jar log4j-core-*.jar to /opt/CSCOcpm/elasticsearch/lib/log4j-
core-*.jar
- Running patch rollback scripts
restarting application

Hot patch rolled back successfully

job 5 at Fri Dec 17 12:40:00 2021

Application successfully installed

ise/admin#

2. Verify whether hot patch has rolledback successfully.

ise/admin# show logging application hotpatch.log

Wed Feb 20 19:34:35 IST 2019 => CSCvi43687_2.4.0.357_HDFC_1 =>
CSCvn79569,CSCvn92528,CSCvi43687,CSCvn22251,CSCvj05563,CSCvn36029
Mon Nov 11 18:16:41 IST 2019 => CSCvp06218_2.4.0.357_patch9
Tue Jan 7 20:03:44 IST 2020 => CSCvq39759_2.4.0.357_patch9
Wed Feb 12 23:10:14 IST 2020 => CSCvs53148_2.4.0.357_patch11
Mon Aug 16 15:26:02 IST 2021 => CSCvy94427_2.7.0.356_patch4

ise/admin#

"CSCwa47133_all_common_1 => CSCwa47133" should not be displayed. This confirms the

hot patch is successfully rolled back.

16 December 2021
Cisco Highly Confidential. All printed copies and duplicate soft copies are considered uncontrolled
and the original online version should be referred to for the latest version.
Page 8 of 11
4 FAQ’s
Q1: Is it supported to install this Apache Log4j HP on top of other HP?
A: Yes, it is supported to install the log4J HP on top of existing HP.

Q2: In the future, do we have to uninstall this Apache hot patch before applying new patches?
A: When the next official patch is released by Cisco, it is required to uninstall this hot patch and then
install the latest released patch for your ISE version.

16 December 2021
Cisco Highly Confidential. All printed copies and duplicate soft copies are considered uncontrolled
and the original online version should be referred to for the latest version.
Page 9 of 11
Trademarks and Disclaimers
IF THIS DOCUMENT IS PROVIDED AS A DELIVERABLE IN ACCORDANCE WITH THE CISCO
TERMS AND CONDITIONS ASSOCIATED WITH A PURCHASED CISCO SERVICE (“TERMS”) THEN
THIS DOCUMENT IS PRESENTED SUBJECT TO THOSE TERMS. IN ALL OTHER EVENTS, THIS
DOCUMENT IS PROVIDED “AS-IS” WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
INCLUDING WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE AND NON-INFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the
U.S. and other countries. To view a list of Cisco trademarks, go to this URL:
www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective
owners. The use of the word partner does not imply a partnership relationship between Cisco and any
other company. (1110R)

© 2021 Cisco and/or its affiliates. All rights reserved.

16 December 2021
Cisco Highly Confidential. All printed copies and duplicate soft copies are considered uncontrolled
and the original online version should be referred to for the latest version.
Page 10 of 11
Document Acceptance

Name Name

Title Title

Company Company

Signature Signature

Date Date

Name Name

Title Title

Company Company

Signature Signature

Date Date

Name Name

Title Title

Company Company

Signature Signature

Date Date

16 December 2021
Cisco Highly Confidential. All printed copies and duplicate soft copies are considered uncontrolled
and the original online version should be referred to for the latest version.
Page 11 of 11