Update 12/28
On December 9, 2021, a Remote Code Execution (RCE) vulnerability (CVE-2021-44228) was identified in the log4j library (https://www.lunasec.io/docs/blog/log4j-zero-day/). The log4j project released version 2.15 to address this issue. New information has come to light identifying ways to exploit log4j 2.15 when the formatMsgNoLookups parameter was not set. CVE-2021-45046 was assigned to this and fixed on December 16, 2021 in log4j 2.16.
We have continued to assess the impact and mitigate the vulnerability across our platform (tracked as PI-010403) as the security community has identified new issues in log4j.
Due to the nature of these issues, these are considered critical vulnerabilities.
What Jamf products are impacted by the log4j vulnerability?
Jamf Pro (hosted on-premises): Patched
- Jamf Pro versions older than 10.31 do not use log4j 2.x (which these vulnerabilities pertain to). However, there are other known security issues that have previously been documented against these versions. We suggest strongly that you update to the latest release.
- The Jamf Pro 10.34.1 release mitigates the initial CVE-2021-44228. To mitigate the latest CVE, customers using 10.34.1 must set the “formatMsgNoLookups=true” parameter as described here.
- We released Jamf Pro 10.34.2 to include log4j 2.16 and mitigate all currently known log4j vulnerabilities. No further configuration changes are necessary with this release.
We strongly encourage everyone running Jamf Pro on-premises to update to 10.34.2 or follow the manual instructions above as soon as possible.
Jamf Pro (Jamf Cloud and Jamf Cloud Premium): Mitigated and Patched
- Customers utilizing our cloud-based products have had the vulnerability mitigated through layered security controls, including disabling the vulnerable feature across all Java Virtual Machine instances using the formatMsgNoLookups=true parameter value and ensuring only secure message lookup patterns are in use. We are confident that our mitigations are effective against all currently known attacks.
- However, out of an abundance of caution, we are also upgrading all Jamf Cloud customers to 10.34.2 as quickly as possible. If you are a Jamf Premium Cloud customer, your environment has mitigations in place to protect you from these vulnerabilities. However, if you have a need to update to log4j 2.16, you can contact Customer Success and schedule your upgrade to 10.34.2 at your convenience.
Jamf Connect: Not affected
Jamf Connect does not use the affected libraries.
Jamf Now: Not affected
Jamf Now does not use the affected libraries.
Jamf Protect: Not affected
Jamf Protect does not use the affected libraries.
Jamf School: Not affected
Jamf School does not use the affected libraries.
Jamf Threat Defense: Not affected
Jamf Threat Defense does not use the affected libraries.
Jamf Data Policy: Not affected
Jamf Data Policy does not use the affected libraries.
Jamf Private Access: Not affected
Jamf Private Access does not use the affected libraries.
Health Care Listener: Not vulnerable
While Health Care Listener does utilize the library that includes the vulnerability, it cannot be exploited by an attacker. Healthcare Listener 2.2.2 assets containing the updated version of Log4j 2.17 are available for download on Jamf Account.
Jamf Infrastructure Manager: Not vulnerable
While Jamf Infrastructure Manager does utilize the library that includes the vulnerability, it cannot be exploited by an attacker. Jamf Infrastructure Manager 2.2.2 assets containing the updated version of Log4j 2.17 are available for download on Jamf Account.
Next Steps
On December 17, 2021, we released Jamf Pro 10.34.2 to address the vulnerability. For more information on what’s included in this release, review the release announcement on Jamf Nation or read the release notes here.
If you cannot upgrade to this latest release, you can choose to manually update the log4j instances of the affected systems as described in our technical documentation. If you choose to implement the manual workaround as described, future updates (to versions after 10.34.2) will not be affected. For assistance with this workaround, reach out to support@jamf.com.
UPDATE 12/18
We are aware of CVE-2021-45105 that was remediated in log4j 2.17.0. At this time, this new vulnerability does not seem to affect any Jamf products or services. The conditions required for the exploitation of the vulnerability are not met by Jamf's use of the log4j library. No further action is required at this time.
UPDATE 12/28
We are aware of CVE-2021-44832 that was remediated in log4j 2.17.1. Based on public disclosures to date, this vulnerability does not affect any Jamf products or services. The conditions required for the exploitation of the vulnerability are not met by Jamf’s use of the log4j library. No further action is required at this time. We will continue to monitor the situation and will report on new information as it becomes available.
If you have any questions, please reach out to Customer Success for assistance.
Will we be notified on the fix for jamf cloud? I have security folks asking for statuses on all our SaaS right now.
Will we be notified on the fix for jamf cloud? I have security folks asking for statuses on all our SaaS right now.
We will update customers for all Jamf products, including Jamf Cloud, when we are able to share more information.
@tlarkin See Aaron's response above. I didn't want you to miss it. 😀
While awaiting official guidance from Jamf, Jamf (esp on-prem) admins might want to review this post RCE 0-day exploit found in log4j
While awaiting official guidance from Jamf, Jamf (esp on-prem) admins might want to review this post RCE 0-day exploit found in log4j
I applied that mitigation and rebooted my server. I'm running 10.34.
Scanning it now to see if anything was dropped on the server. Nothing yet.
Went through stuff like this with Exchange back in March! Not fun!
I also have a case opened (critical) and waiting to hear back from them.
So, there's a potential Security issue...and this is the medium for notice? Seems like there's something missing in this process....
I have our infosec team asking for an update as well. Anything?
It has been 7 hours since this post was made and we've seen more info from JAMF customers regarding impact and remediation than from JAMF.
An update would be appreciated.
Instead of whining at JAMF, why not just TURN YOUR SERVERS OFF for the weekend; at least?
I'm sure JAMF is doing all they can and I appreciate their efforts.
I'm certain that they are working diligently toward addressing this issue.
I've worked with them on addressing a number of issues and they have been incredibly helpful in resolving things.
Although some kind of follow up on the progress made while investigating and remediating the issue would help to alleviate some concern. We all appreciate their effort, you seem to be under the misconception that I don't.
Updated 12/10 : On December 9, 2021, a Remote Code Execution (RCE) vulnerability (CVE-2021-44228) was identified in the log4j library (https://www.lunasec.io/docs/blog/log4j-zero-day/) and multiple threat actors have been found to be scanning for vulnerable systems. We are actively working to assess the impact and mitigate the vulnerability across our platform(tracked as PI-010403).
Due to the nature of the issue, this is considered a critical vulnerability.
What Jamf products are impacted by the vulnerability?
Jamf Pro (hosted on-premises): Affected
Jamf Pro 10.14 and later include Java 11 which partially mitigated the issue. We are actively working on a complete mitigation in a new Jamf Pro release. Until this version is available, a manual workaround to update the log4j library directly is documented below.
Jamf Pro (Jamf Cloud and Jamf Cloud Premium): Mitigated
Customers utilizing our cloud-based products have had the vulnerability mitigated through appropriate security controls. No further actions are necessary.
Jamf Connect: Not affected
Jamf Connect does not use the affected libraries.
Jamf Now: Not affected
Jamf Now does not use the affected libraries.
Jamf Protect: Not affected
Jamf Protect does not use the affected libraries.
Jamf School: Not affected
Jamf School does not use the affected libraries.
Jamf Threat Defense: Not affected
Jamf Threat Defense does not use the affected libraries.
Jamf Data Policy: Not affected
Jamf Data Policy does not use the affected libraries.
Jamf Private Access: Not affected
Jamf Private Access does not use the affected libraries.
Health Care Listener: Not vulnerable
While Health Care Listener does utilize the library that includes the vulnerability, it cannot be exploited by an attacker.
Jamf Infrastructure Manager: Not vulnerable
While Jamf Infrastructure Manager does utilize the library that includes the vulnerability, it cannot be exploited by an attacker.
Next Steps
We are actively continuing to assess the impact and mitigate the vulnerability across our platform. Please note that some customers may experience brief Jamf Cloud interruptions over the weekend as a result of security updates and refinements. If you have any questions, please reach out to Customer Success.
Due to the urgency, this communication is available in English only and will also be sending this via email to primary technical contacts at affected organizations.
Aaron Kiemele
Chief Information Security Officer, Jamf
Updated 12/10 : On December 9, 2021, a Remote Code Execution (RCE) vulnerability (CVE-2021-44228) was identified in the log4j library (https://www.lunasec.io/docs/blog/log4j-zero-day/) and multiple threat actors have been found to be scanning for vulnerable systems. We are actively working to assess the impact and mitigate the vulnerability across our platform(tracked as PI-010403).
Due to the nature of the issue, this is considered a critical vulnerability.
What Jamf products are impacted by the vulnerability?
Jamf Pro (hosted on-premises): Affected
Jamf Pro 10.14 and later include Java 11 which partially mitigated the issue. We are actively working on a complete mitigation in a new Jamf Pro release. Until this version is available, a manual workaround to update the log4j library directly is documented below.
Jamf Pro (Jamf Cloud and Jamf Cloud Premium): Mitigated
Customers utilizing our cloud-based products have had the vulnerability mitigated through appropriate security controls. No further actions are necessary.
Jamf Connect: Not affected
Jamf Connect does not use the affected libraries.
Jamf Now: Not affected
Jamf Now does not use the affected libraries.
Jamf Protect: Not affected
Jamf Protect does not use the affected libraries.
Jamf School: Not affected
Jamf School does not use the affected libraries.
Jamf Threat Defense: Not affected
Jamf Threat Defense does not use the affected libraries.
Jamf Data Policy: Not affected
Jamf Data Policy does not use the affected libraries.
Jamf Private Access: Not affected
Jamf Private Access does not use the affected libraries.
Health Care Listener: Not vulnerable
While Health Care Listener does utilize the library that includes the vulnerability, it cannot be exploited by an attacker.
Jamf Infrastructure Manager: Not vulnerable
While Jamf Infrastructure Manager does utilize the library that includes the vulnerability, it cannot be exploited by an attacker.
Next Steps
We are actively continuing to assess the impact and mitigate the vulnerability across our platform. Please note that some customers may experience brief Jamf Cloud interruptions over the weekend as a result of security updates and refinements. If you have any questions, please reach out to Customer Success.
Due to the urgency, this communication is available in English only and will also be sending this via email to primary technical contacts at affected organizations.
Aaron Kiemele
Chief Information Security Officer, Jamf
Where can we download Jamf Pro 10.34.1?
Where can we download Jamf Pro 10.34.1?
To access the latest version of Jamf Pro, log into Jamf Account with your Jamf ID. The latest version is located in the Products section under “Jamf Pro.”
Update - 12/14
On December 9, 2021, a Remote Code Execution (RCE) vulnerability (CVE-2021-44228) was identified in the log4j library (https://www.lunasec.io/docs/blog/log4j-zero-day/) and multiple threat actors have been found to be scanning for vulnerable systems. We have been actively working to assess the impact and mitigate the vulnerability across our platform(tracked as PI-010403).
Due to the nature of the issue, this is considered a critical vulnerability.
What Jamf products are impacted by the vulnerability?
Jamf Pro (hosted on-premises): Patched
Jamf Pro versions older than 10.14 are vulnerable to this issue. Versions 10.14 through 10.34 include Java 11, which partially mitigates the issue. The Jamf Pro 10.34.1 release was made available to address the issue completely. Please update to this version as soon as possible.
Jamf Pro (Jamf Cloud and Jamf Cloud Premium - Mitigated
Customers utilizing our cloud-based products have had the vulnerability mitigated through appropriate security controls. No further actions are necessary.
Jamf Connect: Not affected
Jamf Connect does not use the affected libraries.
Jamf Now: Not affected
Jamf Now does not use the affected libraries.
Jamf Protect: Not affected
Jamf Protect does not use the affected libraries.
Jamf School: Not affected
Jamf School does not use the affected libraries.
Jamf Threat Defense: Not affected
Jamf Threat Defense does not use the affected libraries.
Jamf Data Policy: Not affected
Jamf Data Policy does not use the affected libraries.
Jamf Private Access: Not affected
Jamf Private Access does not use the affected libraries.
Health Care Listener: Not vulnerable
While Health Care Listener does utilize the library that includes the vulnerability, it cannot be exploited by an attacker.
Jamf Infrastructure Manager: Not vulnerable
While Jamf Infrastructure Manager does utilize the library that includes the vulnerability, it cannot be exploited by an attacker.
Next Steps
We released version 10.34.1 for Jamf Pro to address the vulnerability. For more information on what’s included in this release, check out the release announcement on Jamf Nation or read the release notes here. To access new versions of Jamf Pro, log into Jamf Account with your Jamf ID. The latest version is located in the Products section under Jamf Pro.
Please update to the latest release as soon as possible. If you have any questions, please reach out to Customer Success for assistance.
Due to the urgency, this communication is available in English only and will also be sending this via email to primary technical contacts at affected organizations.
Aaron Kiemele
Chief Information Security Officer, Jamf
Does this impact the Jamf ADCS tool in any way?
Does this impact the Jamf ADCS tool in any way?
@landon_Starr The ADCS Connector is not impacted by this issue.
For Jamf Infrastructure Manager is it not exploitable because Java is not actively running?
I notice these JAR files containing log4j 2.13.3 version components in JIM 2.2.0 at:
C:\\Program Files\\Jamf\\Infrastructure Manager\\jamf-im-enroll-2.2.0-2.2.0.jar
C:\\Program Files\\Jamf\\Infrastructure Manager\\jamf-im-launcher-2.2.0-2.2.0.jar
Are these needed or can they be deleted?
For Jamf Infrastructure Manager is it not exploitable because Java is not actively running?
I notice these JAR files containing log4j 2.13.3 version components in JIM 2.2.0 at:
C:\\Program Files\\Jamf\\Infrastructure Manager\\jamf-im-enroll-2.2.0-2.2.0.jar
C:\\Program Files\\Jamf\\Infrastructure Manager\\jamf-im-launcher-2.2.0-2.2.0.jar
Are these needed or can they be deleted?
@fgonzale JIM is not exploitable since no untrusted user data is ever logged. We purposely minimize what information is logged by JIM to mitigate any potential data handling issues.
Deleting the JAR files above would however cause JIM to no longer function correctly.
@fgonzale JIM is not exploitable since no untrusted user data is ever logged. We purposely minimize what information is logged by JIM to mitigate any potential data handling issues.
Deleting the JAR files above would however cause JIM to no longer function correctly.
Thank you for looking into this. This is obviously a small, but vital and extremely sensitive component.
It looks like the Jamf Infrastructure Manager was just updated to version 2.2.1 which includes a newer 2.15 log4j library.
https://docs.jamf.com/infrastructure-manager/2.2.1/Jamf_Infrastructure_Manager_Release_History.html
Thank you!
A new CVE affecting log4j 2.15.0.
log4j 2.16.0 has been released in response.
Update 12/14 - We are aware of CVE-2021-45046 that was remediated in log4j 2.16.0. Based on what we know today, this new vulnerability does not affect Jamf products. The conditions required for the exploitation of the vulnerability are not met by Jamf's use of the log4j library. We will continue to investigate and monitor, but no further action is required to remediate this CVE with Jamf products.
Aaron Kiemele
Chief Information Security Officer, Jamf
Update 12/14 - We are aware of CVE-2021-45046 that was remediated in log4j 2.16.0. Based on what we know today, this new vulnerability does not affect Jamf products. The conditions required for the exploitation of the vulnerability are not met by Jamf's use of the log4j library. We will continue to investigate and monitor, but no further action is required to remediate this CVE with Jamf products.
Aaron Kiemele
Chief Information Security Officer, Jamf
Thanks for confirming that this CVE does not affect JAMF at this time. Would there be any issue if we go ahead and update log4j to v2.16.0 using prior manual remediation steps anyway for consistency? I can imagine that our IT Security would prefer that we err on the side of caution and update anyway for consistency.
Hello,
I have a question regarding the cloud instances.
Jamf Pro (Jamf Cloud and Jamf Cloud Premium) Mitigated
Customers utilizing our cloud-based products have had the vulnerability mitigated through appropriate security controls. No further actions are necessary.
What are the appropriate security controls exactly? Our security team is not happy with the vague description
