The information in this document is based on the following software and hardware versions:

• Cisco DNA Center release 1.0 and later.

The following advisory table lists the specific bug for this vulnerability, product versions that are impacted, and available patch releases with a fix. Product versions with no patch release shown have passed the End of Software Maintenance stage and are not considered for review.

• Q1: How often is the document revised with the latest information?

  Answer: The document is reviewed weekly and updated in the morning (U.S. hours).

• Q2: When are patches released?

  Answer: All patched software for currently maintained releases has been released and documented in the advisory table.

• Q3: Is there a workaround that can be implemented until the fix is ready?

  Answer: We recommend that you follow the PSIRT advisory and ensure that patches are applied as soon as possible once released for affected versions.

• Q4: I see older Log4j files on my patched Cisco DNA Center. Why?

  Answer: Affected releases of Cisco DNA Center moved from Apache Log4j version 2.15 to 2.16. Some open source services rely on 1.x versions of Log4j and 2.11; however, the offending class was removed and our current configuration is not vulnerable. Instead of relying on filenames and version numbers for identification, we recommend the following tools to help assess, identify, and reduce exposure to vulnerabilities:

  • https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance

  • https://github.com/cisagov/log4j-scanner

  • https://github.com/CERTCC/CVE-2021-44228_scanner

• Q5: What actions do I take if my organization's security scanner (for example, Qualys) picks up CVE-2021-45105, CVE-2021-45046, and CVE-2021-44832 after I patched my Cisco DNA Center product?

  Answer: No action is needed. Cisco has reviewed CVE-2021-45105, CVE-2021-45046, and CVE-2021-44832 and has determined that no Cisco products or cloud offerings are impacted by this vulnerability. This information has been highlighted in the advisory as well.

  Note	Although we are not currently vulnerable to CVE-2021-44832 and CVE-2021-45105, Cisco DNA Center release 2.2.3.5 and 2.3.2.3 will move to Log4j 2.17, where applicable.

• Q6: Will older impacted releases be patched?

  Answer: All patched releases are currently available. Older releases are past the end of software maintenance. See the EoS/EoL Notice for Cisco DNA Center Software Versions 1.0, 1.1, 1.2, and 1.3. To fix your impacted Cisco DNA Center, you must upgrade to a patched release. See the Cisco DNA Center Upgrade Guide. For further guidance, contact the Cisco TAC.

• Q7: My security scanner shows that I'm vulnerable to CVE-2021-4104. What should I do?

  Answer: Cisco DNA Center does not provide write access to the Log4j configuration and does not use the JMS Appender, both of which are required for this vulnerability to be exploited. No action is required. For more information, see https://nvd.nist.gov/vuln/detail/CVE-2021-4104.