BugZero | Cisco BugID CSCwa47133 - ISE Evaluation log4j CVE-2021-44228

Cisco - Defect ID: CSCwa47133

ISE Evaluation log4j CVE-2021-44228

Cisco - Defect ID: CSCwa47133

ISE Evaluation log4j CVE-2021-44228

Last updated on 4/15/2025

Overall: 9.79.7

Severity: 1010.0

Lifecycle: 9.19.1

Popularity: 6.96.9

What is the BugZero Risk Score?

Vendor details

No defect details.

Overall: 9.79.7

Severity: 1010.0

Lifecycle: 9.19.1

Popularity: 6.96.9

What is the BugZero Risk Score?

Vendor details

No defect details.

Symptom

This bug has been filed to evaluate the product Cisco Identity Services Engine (ISE) against the vulnerability in the Apache Log4j Java library disclosed on December 9th, 2021. Cisco has reviewed this product and concluded that it contains a vulnerable version of Apache Log4j and is affected by the following vulnerability: CVE-2021-44228 - Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints. Cisco released hotfixes that address this vulnerability in December 2021. The hotfix completely removes the JndiLookup.class from the code. In addition, Log4j will be upgraded to 2.17.0 in the next release Cisco ISE software. Refer to the following FAQ for additional information about the hotfixes and affected ISE versions: https://www.cisco.com/c/dam/en/us/products/se/2021/12/Collateral/ise-log4j-faq.pdf The Cisco Event Response page includes additional frequently asked questions about the investigation of all Cisco products and services: https://tools.cisco.com/security/center/resources/prod_svc_info_log4j.html The Cisco Security Advisory includes the list of all Cisco products affected and is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd

Conditions

None

Workaround

Not currently available.

Further Problem Description

Hotfixes are available at the following links: 2.4 - 3.0: https://software.cisco.com/download/home/283801620/type/283802505/release/Log4j2-fix-2.4-3.0 3.1 no patch: https://software.cisco.com/download/home/283801620/type/283802505/release/Log4j2-fix-3.1 3.1 patch 1: https://software.cisco.com/download/home/283801620/type/283802505/release/log4j2-fix-3.1patch1 Additional details about the vulnerability listed above can be found at http://cve.mitre.org/cve/cve.html PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 3.1 score. The Base CVSS scores as of the time of evaluation are 9.8: https://tools.cisco.com/security/center/cvssCalculator.x?version=3.1&vector=CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. Additional information on Cisco's security vulnerability policy can be found at the following URL: https://tools.cisco.com/security/center/resources/security_vulnerability_policy.html

Original Vendor Announcement

9.65Defect ID: CSCwd45843
Auth Step latency for policy evaluation due to Garbage Collection activity.
9.65Defect ID: CSCwa92734
CUBE DTMF interworking fails from rtp-nte to OOB SIP methods
9.65Defect ID: CSCwj45822
Cisco ASA and FTD Software Remote Access VPN Brute Force Denial of Service Vulnerability
9.65Defect ID: CSCvo03458
PKI "revocation check crl none" does not fallback if CRL not reachable
9.65Defect ID: CSCvq05584
Cisco IOS and IOS XE Software Tcl Arbitrary Code Execution Vulnerability

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Cisco - Defect ID: CSCwa47133

ISE Evaluation log4j CVE-2021-44228

Cisco - Defect ID: CSCwa47133

ISE Evaluation log4j CVE-2021-44228

Last updated on 4/15/2025

Vendor details

Vendor details

Description

Symptom

Conditions

Workaround

Further Problem Description

Links

Top Cisco defects by risk score

Ready to prevent the next vendor outage?