Hi,
Thanks Aaron found a lot of springframeworks in the Jamf Pro (Cloud) instance server logs (example below) how quickly will this be patched out?
webmvc-5.3.11.jar:5.3.11]
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:963) ~[spring-webmvc-5.3.11.jar:5.3.11]
Do we know if any other Jamf Product are affected by CVE-2022-22965?
Are previous (ex: <10.37.0) versions not affected, and that is the reason the update is being held off? Or is it because the fix will be available very soon and JAMF is avoiding having to update all their cloud servers twice within a very short period?
Can we update to Tomcat 8.5.78 to close the attack vector?
We still have yet to verify any exploitable path to our customers, regardless of what Jamf products they use. Our team is working around the clock investigating this reported vulnerability, and we will continue to update you as soon as we learn more.
Regardless, we plan to reschedule the 10.37.1 upgrade that includes the patched spring libraries as soon as possible, including potentially over the weekend. We will alert you via email and through Jamf Nation when that upgrade is scheduled.
Thank you,
Aaron
CISO, Jamf
I'd like to second what @Discher asked - how may we patch Tomcat ourselves?
I've asked this before, and Jamf has been mute - but they constantly put out new patches for Jamf Pro with outdated Tomcat versions (10.37.0 came with an old version). We need a method of updating Tomcat to the latest Tomcat 8 version without waiting on Jamf
@ncats_lab if you use the manual installer.. you then manage tomcat etc yourself.
..and, AFAIK.. this vuln isn't Tomcat.. but a framework used within Jamf Pro's .war
It can be mitigated by upgrading Tomcat:
https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
"
Suggested Workarounds
If you’re able to upgrade to Spring Framework 5.3.18 and 5.2.20, no workarounds are necessary. Downgrading to Java 8 provides a viable workaround, which may be a quick and simple thing to do as a tactical solution, until you can upgrade to a supported Spring Framework version.
For older, unsupported Spring Framework versions, upgrading to Apache Tomcat 10.0.20, 9.0.62, or 8.5.78 provides protection against the reported attack vector. However, applying the workarounds described next is still a good step to prevent any other possible attack vectors."
Also, we use the tarbal from Jamf to upgrade Jamf (with a .run) . We shouldn't have to do this manually each time in order to replace Tomcat
Also, of note - there is documentation for manually upgrading Jamf Pro on Windows, but not for Linux - the only option provided is upgrading with the installer.
https://docs.jamf.com/10.37.0/jamf-pro/install-guide-linux/Upgrading_Jamf_Pro_Using_the_Installer_on_Linux.html
@ncats_lab we use the manual installer for our ubuntu kubernetes jamf pro pods.
Basically.. install java.. tomcat.. drop the .war into the web apps directory of tomcat... start tomcat..
In this scenario, mysql is elsewhere.
Thank you for your patience as we continued to monitor and work through the Spring Framework vulnerability. Jamf Pro 10.37.2, which includes the patched version of the spring framework, is now generally available and should completely mitigate the issue.
For additional information in this release please read full release notes here.
Cloud customers will be patched automatically. The schedule for server updates can be found here.
For our on premises customers, 10.37.2 and 10.36.4 are both available to mitigate this vulnerability. Further information can be found in release notes.
Thank you,
Aaron Kiemele
CISO, Jamf
Thank you for your patience as we continued to monitor and work through the Spring Framework vulnerability. Jamf Pro 10.37.2, which includes the patched version of the spring framework, is now generally available and should completely mitigate the issue.
For additional information in this release please read full release notes here.
Cloud customers will be patched automatically. The schedule for server updates can be found here.
For our on premises customers, 10.37.2 and 10.36.4 are both available to mitigate this vulnerability. Further information can be found in release notes.
Thank you,
Aaron Kiemele
CISO, Jamf
We are still running 10.35. There's no published evidence from you that Jamf Pro is affected by this vulnerability, but for peace of mind, it would be good if you tell us if there's a way to manually patch the Spring framework (as there was with the log4j libraries).
Due to the mysql dependencies we are still with 10.34.2, so is there anything we can do to mitigate the vulnerability, or do we have to try an emergency update of the mysql version?
As @TeamOC asked (but I was not able to find the answer, if there is any already, sorry ;)):
Are versions <10.36.x also affected? I was not able to find a hint for that.
Thank you
BR
Daniel
@ncats_lab we use the manual installer for our ubuntu kubernetes jamf pro pods.
Basically.. install java.. tomcat.. drop the .war into the web apps directory of tomcat... start tomcat..
In this scenario, mysql is elsewhere.
Thank you @bentoms . Unfortunately, this is going to take some more detailed work.
I tried to manually upgrade, but it reported that web.xml was corrupted. I replaced the new web.xml from the upgraded Tomcat with the original, so I am assuming that there was some change that I am not aware of. But I'm going to try to troubleshoot stuff when I have time.
Thanks again - hopefully, Jamf will provide updated documentation for manual upgrades on Linux.
Versions prior to 10.36 do contain the vulnerable Spring component. We do not recommend manual upgrades as it is more complex than a direct update of the impacted component, and may cause instability or future update issues. While we did not see a clean path to direct exploitation within Jamf products in the short time since this vulnerability was identified, we recommend everyone update to 10.36.4 or 10.37.2
Aaron Kiemele
CISO, Jamf
