Apache Commons Text Vulnerability

Question

We recently became aware of a Java vulnerability in the Apache Commons Text library [CVE-2022-42889] that could allow for code injection by a malicious actor. While Jamf Pro, Jamf Now, Jamf School, Jamf Threat Defense, Jamf Data Policy, Infrastructure Manager, and Jamf Private Access do utilize this library, a thorough review has shown that these products are not vulnerable to this attack.

Although the products themselves are not vulnerable to this attack, upcoming releases of Jamf Pro, Jamf Now, Jamf School, Jamf Threat Defense, Jamf Data Policy, Infrastructure Manager, and Jamf Private Access will contain updates to this vulnerable library.

If you have any questions or experience any issues during this process, contact Jamf Support for assistance.

Aaron Kiemele

CISO, Jamf

bentoms · Answer

https://community.jamf.com/t5/jamf-nation/apache-commons-text-vulnerability/m-p/276032

For additional clarity, as our CISO Aaron Kiemele mentioned in this post specifically about CVE-2022-42889, all of our Jamf products that use the Apache Commons Text library, including Jamf Pro, are not at risk to the vulnerability based on our configurations. This is still the case. But since we were doing another release to help customers impacted by PI110632 we figured we'd include the updated Apache Commons Text library since it still shows up on many customers own security scanning software.

Thank you
Mike Paul
Jamf Product Security Engineer

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded