So the only Log4j file I can find on my on-prem JAMF Pro servers is log4j-1.2.17.jar. Do I need to do anything to mitigate the vulnerability at this point?
Question
Log4j Vulnerability
+5
+3There are official Jamf mitigations posted at https://docs.jamf.com/technical-articles/Mitigating_the_Apache_Log4j_2_Vulnerability.html
+1I'm having the same issue. The instruction's file structure is different in our environment. We only have the 1 log4j-1.2.17.jar vs the 4 that was mentioned in the article. I've tried replacing the 1 file with the 4 2.15.0 but my web portal does not start. I'm getting a 404 Status page.
+7What version of JAMF Pro are you running?
I was able to find all of the log4j files mentioned in JAMF's mitigation documentation which makes me wonder how your environments differ.
+7We're on 10.26.1
Sounds like the issue with mitigating the vulnerability is that you are quite behind on Jamf Pro updates.
10.26.1 was released around Dec 2020. There have been quite a number of updates since then.
I would strongly recommend backing up your database and scheduling an upgrade to 10.34.1.
+36@R_C wrote:
I would strongly recommend backing up your database and scheduling an upgrade to 10.34.1.
Yea, this one is rated 10 of 10 on the security scale.
+36log4shell
^^^Just adding so it comes up in a search.
+5I'm having the same issue. The instruction's file structure is different in our environment. We only have the 1 log4j-1.2.17.jar vs the 4 that was mentioned in the article. I've tried replacing the 1 file with the 4 2.15.0 but my web portal does not start. I'm getting a 404 Status page.
Same issue here running 10.30.3 FILES INDICATED not found
+24Jamf needs to update their documentation to include the fact that the instructions are only applicable to Jamf Pro versions 10.31 and up. If you're on an older version, your only recourse is to upgrade to at least 10.31 or to 10.34.1, which takes care of this issue without needing to do anything manually. The instructions don't clearly spell out which versions the mitigation steps apply to.
+18Same issue here running 10.30.3 FILES INDICATED not found
Article shows the requirements as Jamf Pro 10.31.0–10.34.0 so your environment might not be in the scope.
Jamf needs to update their documentation to include the fact that the instructions are only applicable to Jamf Pro versions 10.31 and up. If you're on an older version, your only recourse is to upgrade to at least 10.31 or to 10.34.1, which takes care of this issue without needing to do anything manually. The instructions don't clearly spell out which versions the mitigation steps apply to.
I am also on 10.26 and just need to know if my version is vulnerable. I totally get the whole upgrade thing, but without going through an upgrade, is 10.26 with log4j-1.2.17.jar vulnerable or is it unaffected by this exploit?
+24I am also on 10.26 and just need to know if my version is vulnerable. I totally get the whole upgrade thing, but without going through an upgrade, is 10.26 with log4j-1.2.17.jar vulnerable or is it unaffected by this exploit?
@gwn714 So, in my discussion with Jamf Support on this, they will not commit to saying that Jamf Pro versions below 10.31 are unaffected by this particular issue. However, the notes in the CVE and from the developer have indicated that log4j versions 1.x are in fact NOT affected by CVE-2021-44228, because the JNDI mechanism that's being used to exploit this vulnerability doesn't exist in those versions. That does NOT mean log4j 1.x doesn't have any other issues or bugs.
All Jamf can really tell anyone is that they know Jamf Pro 10.34.1 has this issue addressed. Beyond that, they won't really say. And I get it. They don't want to commit to saying it's safe for liability reasons, since they really can't be 100% sure.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.