Question

Is Jamf Pro affected by SpringShell vulnerability?

Forum|Forum|3 years ago
March 30, 2022
5 replies
27 views

S

+3

sist
New Contributor

Hi!

Today, a RCE 0-day vulnerability was discovered in SpringShell:

https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html

It seems like Jamf is using the Spring framework

/usr/local/jss/tomcat/webapps/ROOT/WEB-INF/lib/spring-beans-5.3.9.jar

Is Jamf Pro affected by this vulnerability and if so, what is the recommended action?

A

+10

Aaron_Kiemele
Employee
Forum|Forum|3 years ago
March 30, 2022

We are actively investigating this reported vulnerability. Though Jamf Pro does utilize the Spring Framework, we have not found any evidence that Jamf customers are affected in any way at this time.

Aaron Kiemele

Jamf, CISO

Like

+15

CalleyO
Employee
Forum|Forum|3 years ago
March 31, 2022

Please review @Aaron_Kiemele more detailed post regarding this question.

Like

+6

CrawfordRobson
Contributor
Forum|Forum|3 years ago
April 1, 2022

Any other Jamf products are affected by CVE-2022-22965?

We use Jamf Pro, Jamf Protect, and Connect.

Like

P

piotrwawrzynek
New Contributor
Forum|Forum|3 years ago
April 1, 2022

The same question like @CrawfordRobson In Jamf Pro installation folder I see file : spring-beans-5.3.11.jar. In reference to the article : https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html?m=1 . It determine that application is potentiality vulnerability for spring4shell ... ?

Like

+15

CalleyO
Employee
Forum|Forum|3 years ago
April 4, 2022

Any other Jamf products are affected by CVE-2022-22965?

We use Jamf Pro, Jamf Protect, and Connect.

@CrawfordRobson Thanks for reposting your question on this thread.

Like

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded