Install Log4j Patch for Cisco Identity Services Engine
The vulnerability of the Apache Log4j Library affects a very wide range, and the Cisco Identity Services Engine also affected. In this article I will discuss how to install Log4j patch to ISE.
I got a “Patch cannot be installed. Patch file is not in the correct format” error when installing directly on the GUI, so I installed it via the CLI.
First we need to prepare an ftp/sftp server. If you are using Ubuntu server, you can refer to this article of mine. Then copy the Log4j patch to the ftp/sftp server, the patch can be downloaded here.
Login to the ISE GUI and navigate to Administration > System > Maintenance > Repository, fill in as needed, here is an example.
Install the patch
Login to the ISE CLI, enter the following command to install the patch and confirm installation.
application install <FILE_NAME> <REPOSITORY_NAME> show logging application hotpatch.log
Here is an example.
ise2/admin# application install ise-apply-CSCwa47133_Ver_24_30_allpatches-SPA.tar.gz ftp Save the current ADE-OS running configuration? (yes/no) [yes] ? yes Generating configuration... Saved the ADE-OS running configuration to startup successfully Getting bundle to local machine... Unbundling Application Package... Verifying Application Signature... Initiating Application Install... Checking if CSCwa47133_all_common_1 is already applied - Successful Applying hot patch CSCwa47133_all_common_1 Taking backup of file /opt/CSCOcpm/elasticsearch/lib/log4j-core-*.jar Completed backup of file /opt/CSCOcpm/elasticsearch/lib/log4j-core-*.jar - Running hotpatch wrapper script Removing the vulnerable class file JndiLookup.class from log4j-core restarting application Hot patch applied successfully warning: commands will be executed using /bin/sh job 1 at Fri Jan 14 07:57:00 2022 Application successfully installed ise2/admin# show version Cisco Application Deployment Engine OS Release: 3.1 ADE-OS Build Version: 184.108.40.206 ADE-OS System Architecture: x86_64 Copyright (c) 2005-2021 by Cisco Systems, Inc. All rights reserved. Hostname: ise2 Version information of installed applications --------------------------------------------- Cisco Identity Services Engine --------------------------------------------- Version : 220.127.116.118 Build Date : Mon Aug 9 20:28:55 2021 Install Date : Fri Jan 14 06:52:37 2022 ise2/admin# show logging application hotpatch.log Fri Jan 14 07:56:09 UTC 2022 => CSCwa47133_all_common_1 => CSCwa47133 ise2/admin# ise2/admin#
Configure Repository on ISE
README for installing Hot Patch to fix CSCwa47133
Patch Installation on ISE and FAQ during Installation