Cisco has published an advisory alerting users to four vulnerabilities in its Identity Server Engine (ISE): a tcpdump feature command injection vulnerability; a tcpdump stored cross-site scripting vulnerability; an External RADIUS Server feature stored cross-site scripting vulnerability; and an access bypass vulnerability. Cisco plans to release updates to address the flaws; there are no workarounds.
Note
- ISE is an identity-based network access control (NAC) and policy enforcement system, likely a component in your Zero-Trust implementation as you already own it, therefore, fixing this is kind of a big deal. The workaround is there are no workarounds. As such, you need to wait for updates to be released by Cisco. Cisco will only be releasing fixes for ISE 3.1 (3.1p6, March 2023) and 3.2 (3.2p1 January 2023) – as well as providing Hot Patches for 3.1p5 and 3.2, contact your Cisco TAC.
Read more in