I noticed this as well.

Wonder if we can still use 2.15.0 “This issue can be mitigated in prior releases (<2.16.0) by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).”

@BCPeteo you can replace the class.  I replaced the class to 2.16

https://docs.jamf.com/technical-articles/Mitigating_the_Apache_Log4j_2_Vulnerability.html

@spotmacare you saying that you've replaced:

log4j-1.2-api-2.15.0.jar
log4j-api-2.15.0.jar
log4j-core-2.15.0.jar
log4j-slf4j-impl-2.15.0.jar

with

log4j-1.2-api-2.16.0.jar
log4j-api-2.16.0.jar
log4j-core-2.16.0.jar
log4j-slf4j-impl-2.16.0.jar

and Jamf Pro 10.34.1 still works?

I just found this:

https://community.jamf.com/t5/jamf-pro/third-party-security-issue/m-p/253740

Looks like CVE-2021-45046 is not an issue.

Yes, don’t forget to update the ownership of the files.

chown jamftomcat:jamftomcat file

I would be loathe to update the jar files provided by a vended product without them saying "Yeah, totally do that".

I am still learning jamf but I could see manually updating internals causing issues down the line when you want to upgrade. I don't know if jamf's installer/upgrader assesses existing files. Also, we are not sure WHAT files jamf may update on any one upgrade.

This just introduces technical debt your typical busy admin doesn't need unless they are impeccable documenters; and as much as I like documentation, it doesn't always happen.

Jamf always updating (extracting ROOT.war) always all files and recovery the configuration files. 

The idea to replace the files comes from Jamf self 😉

https://docs.jamf.com/technical-articles/Mitigating_the_Apache_Log4j_2_Vulnerability.html

I missed that one. Thanks for pointing it out!

rmday, good point. Thank you for that.

spotmac, good point as well. Thank you.

I'm just weighing my options at this point. I'm already on version 10.34.1 which uses log4j-core-2.15.0.jar. So CVE-2021-44228 should be covered.

As for CVE-2021-45046, the official word from Jamf is this:

We are aware of CVE-2021-45046 that was remediated in log4j 2.16.0. Based on what we know today, this new vulnerability does not affect Jamf products. The conditions required for the exploitation of the vulnerability are not met by Jamf's use of the log4j library. We will continue to investigate and monitor, but no further action is required to remediate this CVE with Jamf products.

Keep in mind this: 

https://www.lunasec.io/docs/blog/log4j-zero-day-severity-of-cve-2021-45046-increased/

I agree with this, score went from 3.7 to a 9.0.

I'm running 10.34.1 with 2.15, hopefully they will just update to 2.16 to avoid any possible issues.

Hopefully soon!

The jamf document (https://docs.jamf.com/technical-articles/Mitigating_the_Apache_Log4j_2_Vulnerability.html) says:

Download apache-log4j-2.15.0-bin.zip or later from the following webpage:

I just tested 2.16 and it seems fine

ostrowsp, I have overlooked the "or later" detail in the official doc. I will just go ahead and update to 2.16.0.

The topic here is getting current coverage in this post from jamf folks:

https://community.jamf.com/t5/jamf-pro/third-party-security-issue/m-p/254389

I would move over there to contribute.