OPERATIONAL DEFECT DATABASE
...
...
This bug has been filed to evaluate the product Cisco Identity Services Engine (ISE) against the vulnerability in the Apache Log4j Java library disclosed on December 9th, 2021. Cisco has reviewed this product and concluded that it contains a vulnerable version of Apache Log4j and is affected by the following vulnerability: CVE-2021-44228 - Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints. Cisco released hotfixes that address this vulnerability in December 2021. The hotfix completely removes the JndiLookup.class from the code. In addition, Log4j will be upgraded to 2.17.0 in the next release Cisco ISE software. Refer to the following FAQ for additional information about the hotfixes and affected ISE versions: https://www.cisco.com/c/dam/en/us/products/se/2021/12/Collateral/ise-log4j-faq.pdf The Cisco Event Response page includes additional frequently asked questions about the investigation of all Cisco products and services: https://tools.cisco.com/security/center/resources/prod_svc_info_log4j.html The Cisco Security Advisory includes the list of all Cisco products affected and is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
None
Not currently available.
Hotfixes are available at the following links: 2.4 - 3.0: https://software.cisco.com/download/home/283801620/type/283802505/release/Log4j2-fix-2.4-3.0 3.1 no patch: https://software.cisco.com/download/home/283801620/type/283802505/release/Log4j2-fix-3.1 3.1 patch 1: https://software.cisco.com/download/home/283801620/type/283802505/release/log4j2-fix-3.1patch1 Additional details about the vulnerability listed above can be found at http://cve.mitre.org/cve/cve.html PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 3.1 score. The Base CVSS scores as of the time of evaluation are 9.8: https://tools.cisco.com/security/center/cvssCalculator.x?version=3.1&vector=CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. Additional information on Cisco's security vulnerability policy can be found at the following URL: https://tools.cisco.com/security/center/resources/security_vulnerability_policy.html
Click on a version to see all relevant bugs
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
