Install Log4j Patch for Cisco Identity Services Engine

The vulnerability of the Apache Log4j Library affects a very wide range, and the Cisco Identity Services Engine also affected. In this article I will discuss how to install Log4j patch to ISE.

I got a “Patch cannot be installed. Patch file is not in the correct format” error when installing directly on the GUI, so I installed it via the CLI.

First we need to prepare an ftp/sftp server. If you are using Ubuntu server, you can refer to this article of mine. Then copy the Log4j patch to the ftp/sftp server, the patch can be downloaded here.

Configure Repository

Login to the ISE GUI and navigate to Administration > System > Maintenance > Repository, fill in as needed, here is an example.

Install the patch

Login to the ISE CLI, enter the following command to install the patch and confirm installation.

application install <FILE_NAME> <REPOSITORY_NAME>
show logging application hotpatch.log

Here is an example.

ise2/admin# application install ise-apply-CSCwa47133_Ver_24_30_allpatches-SPA.tar.gz ftp
Save the current ADE-OS running configuration? (yes/no) [yes] ? yes
Generating configuration...
Saved the ADE-OS running configuration to startup successfully

Getting bundle to local machine...
Unbundling Application Package...
Verifying Application Signature...
Initiating Application Install...
 
Checking if CSCwa47133_all_common_1 is already applied
  - Successful
 
Applying hot patch CSCwa47133_all_common_1
Taking backup of file /opt/CSCOcpm/elasticsearch/lib/log4j-core-*.jar
Completed backup of file /opt/CSCOcpm/elasticsearch/lib/log4j-core-*.jar
  - Running hotpatch wrapper script
Removing the vulnerable class file JndiLookup.class from log4j-core
restarting application
 
Hot patch applied successfully
warning: commands will be executed using /bin/sh
job 1 at Fri Jan 14 07:57:00 2022

Application successfully installed
ise2/admin# show version 

Cisco Application Deployment Engine OS Release: 3.1
ADE-OS Build Version: 3.1.0.135
ADE-OS System Architecture: x86_64

Copyright (c) 2005-2021 by Cisco Systems, Inc.
All rights reserved.
Hostname: ise2


Version information of installed applications
---------------------------------------------

Cisco Identity Services Engine
---------------------------------------------
Version      : 3.1.0.518
Build Date   : Mon Aug  9 20:28:55 2021
Install Date : Fri Jan 14 06:52:37 2022

ise2/admin# show logging application hotpatch.log
Fri Jan 14 07:56:09 UTC 2022 => CSCwa47133_all_common_1 => CSCwa47133


ise2/admin# 
ise2/admin# 

References

Configure Repository on ISE
README for installing Hot Patch to fix CSCwa47133
Patch Installation on ISE and FAQ during Installation

Leave a Reply

Your email address will not be published. Required fields are marked *