Is Jamf Pro affected by SpringShell vulnerability?

Hi!

Today, a RCE 0-day vulnerability was discovered in SpringShell:

https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html

It seems like Jamf is using the Spring framework

/usr/local/jss/tomcat/webapps/ROOT/WEB-INF/lib/spring-beans-5.3.9.jar

Is Jamf Pro affected by this vulnerability and if so, what is the recommended action?

Page 1 / 1

We are actively investigating this reported vulnerability. Though Jamf Pro does utilize the Spring Framework, we have not found any evidence that Jamf customers are affected in any way at this time.

Aaron Kiemele

Jamf, CISO

Please review @Aaron_Kiemele more detailed post regarding this question.

Any other Jamf products are affected by CVE-2022-22965?

We use Jamf Pro, Jamf Protect, and Connect.

The same question like @CrawfordRobson In Jamf Pro installation folder I see file : spring-beans-5.3.11.jar. In reference to the article : https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html?m=1 . It determine that application is potentiality vulnerability for spring4shell ... ?

Any other Jamf products are affected by CVE-2022-22965?

We use Jamf Pro, Jamf Protect, and Connect.

@CrawfordRobson Thanks for reposting your question on this thread.

Reply

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded