Skip to main content

Update 12/28

On December 9, 2021, a Remote Code Execution (RCE) vulnerability (CVE-2021-44228) was identified in the log4j library (https://www.lunasec.io/docs/blog/log4j-zero-day/). The log4j project released version 2.15 to address this issue. New information has come to light identifying ways to exploit log4j 2.15 when the formatMsgNoLookups parameter was not set. CVE-2021-45046 was assigned to this and fixed on December 16, 2021 in log4j 2.16. 

 

We have continued to assess the impact and mitigate the vulnerability across our platform (tracked as PI-010403) as the security community has identified new issues in log4j. 

 

Due to the nature of these issues, these are considered critical vulnerabilities.

 

What Jamf products are impacted by the log4j vulnerability?

Jamf Pro (hosted on-premises): Patched

  • Jamf Pro versions older than 10.31 do not use log4j 2.x (which these vulnerabilities pertain to). However, there are other known security issues that have previously been documented against these versions. We suggest strongly that you update to the latest release.
  • The Jamf Pro 10.34.1 release mitigates the initial CVE-2021-44228. To mitigate the latest CVE, customers using 10.34.1 must set the formatMsgNoLookups=true” parameter as described here
  • We released Jamf Pro 10.34.2 to include log4j 2.16 and mitigate all currently known log4j vulnerabilities. No further configuration changes are necessary with this release.

We strongly encourage everyone running Jamf Pro on-premises to update to 10.34.2 or follow the manual instructions above as soon as possible.

 

Jamf Pro (Jamf Cloud and Jamf Cloud Premium): Mitigated and Patched

  • Customers utilizing our cloud-based products have had the vulnerability mitigated through layered security controls, including disabling the vulnerable feature across all Java Virtual Machine instances using the formatMsgNoLookups=true parameter value and ensuring only secure message lookup patterns are in use. We are confident that our mitigations are effective against all currently known attacks.
  • However, out of an abundance of caution, we are also upgrading all Jamf Cloud customers to 10.34.2 as quickly as possible. If you are a Jamf Premium Cloud customer, your environment has mitigations in place to protect you from these vulnerabilities. However, if you have a need to update to log4j 2.16, you can contact Customer Success and schedule your upgrade to 10.34.2 at your convenience. 

 

Jamf Connect: Not affected

Jamf Connect does not use the affected libraries.

 

Jamf Now: Not affected

Jamf Now does not use the affected libraries.

 

Jamf Protect: Not affected

Jamf Protect does not use the affected libraries.

 

Jamf School: Not affected

Jamf School does not use the affected libraries.

 

Jamf Threat Defense: Not affected

Jamf Threat Defense does not use the affected libraries.

 

Jamf Data Policy: Not affected

Jamf Data Policy does not use the affected libraries.

 

Jamf Private Access: Not affected

Jamf Private Access does not use the affected libraries.

 

Health Care Listener: Not vulnerable

While Health Care Listener does utilize the library that includes the vulnerability, it cannot be exploited by an attacker. Healthcare Listener 2.2.2 assets containing the updated version of Log4j 2.17 are available for download on Jamf Account.

 

Jamf Infrastructure Manager: Not vulnerable

While Jamf Infrastructure Manager does utilize the library that includes the vulnerability, it cannot be exploited by an attacker. Jamf Infrastructure Manager 2.2.2 assets containing the updated version of Log4j 2.17 are available for download on Jamf Account.

 

Next Steps

On December 17, 2021, we released Jamf Pro 10.34.2 to address the vulnerability. For more information on what’s included in this release, review the release announcement on Jamf Nation or read the release notes here

 

If you cannot upgrade to this latest release, you can choose to manually update the log4j instances of the affected systems as described in our technical documentationIf you choose to implement the manual workaround as described, future updates (to versions after 10.34.2) will not be affected. For assistance with this workaround, reach out to support@jamf.com. 

 

UPDATE 12/18

We are aware of CVE-2021-45105 that was remediated in log4j 2.17.0. At this time, this new vulnerability does not seem to affect any Jamf products or services. The conditions required for the exploitation of the vulnerability are not met by Jamf's use of the log4j library. No further action is required at this time.

UPDATE 12/28

We are aware of CVE-2021-44832 that was remediated in log4j 2.17.1. Based on public disclosures to date, this vulnerability does not affect any Jamf products or services. The conditions required for the exploitation of the vulnerability are not met by Jamf’s use of the log4j library. No further action is required at this time. We will continue to monitor the situation and will report on new information as it becomes available.

If you have any questions, please reach out to Customer Success for assistance. 

 

@tlarkin See Aaron's response above. I didn't want you to miss it.  😀


Can you get Aaron_Kiemele a badge like yours that states his position or employment status with Jamf. Right now it looks like some random person off the street. 

Since it's not updated here yet.  Healthcare Listener and Infrastructure Manager applications have been updated with Log4j 2.17 and should be available in your product assets in your account if you use it. 
The New HCL/JIM version is 2.2.2.
Happy patching.

My cyber team is wondering if we can update the lo4j library to 2.17 manually (so it can be removed from scans). Will this work?

My cyber team is wondering if we can update the lo4j library to 2.17 manually (so it can be removed from scans). Will this work?


Yes, you can do that, that's what I have done as well. I followed this, but replaced 2.16.0 for 2.17.0: https://docs.jamf.com/technical-articles/Mitigating_the_Apache_Log4j_2_Vulnerability.html

Worked perfectly fine. 

Great work thank you for sharing this information.

myccpay account

UPDATE 12/28

We are aware of CVE-2021-44832 that was remediated in log4j 2.17.1. Based on public disclosures to date, this vulnerability does not affect any Jamf products or services. The conditions required for the exploitation of the vulnerability are not met by Jamf’s use of the log4j library. No further action is required at this time. We will continue to monitor the situation and will report on new information as it becomes available.

Do you even work for JAMF?  How do we know this is credible information???

 

Paul

President of the United Federation, because my signature says so.

Do you even work for JAMF?  How do we know this is credible information???

 

Paul

President of the United Federation, because my signature says so.


Aaron Kiemele is JAMFs Chief Information Security Officer. However I totally agree. There should be some kind of badge of some sort so we know this is a JAMF employee.

 

He did sign one of his posts 2 weeks ago in this thread, looks like it was originally an email. Not a source of trust by any means but it is what it is. I do find it funny a Chief Information Security Officer feels no need to prove his information is trustworthy. Suppose typical ivory tower nonsense and no one under him has the courage to tell him he is doing this wrong. We should have gotten these communications in emails.

Aaron Kiemele is JAMFs Chief Information Security Officer. However I totally agree. There should be some kind of badge of some sort so we know this is a JAMF employee.

 

He did sign one of his posts 2 weeks ago in this thread, looks like it was originally an email. Not a source of trust by any means but it is what it is. I do find it funny a Chief Information Security Officer feels no need to prove his information is trustworthy. Suppose typical ivory tower nonsense and no one under him has the courage to tell him he is doing this wrong. We should have gotten these communications in emails.


True. I did get a notice from my internal JAMF customer support contact, wh pointed me to his/this thread when I was asking for info two weeks ago. For what it's worth [from me as another unknown person in the community 😉 ]

I agree staff should be easily identifiable when they post though.

Donald


IMPORTANT WARNING: This message is intended for the use of the person or entity to which it is addressed and may contain information that is privileged and confidential, the disclosure of which is governed by applicable law. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this information is strictly prohibited. Thank you for your cooperation.
True. I did get a notice from my internal JAMF customer support contact, wh pointed me to his/this thread when I was asking for info two weeks ago. For what it's worth [from me as another unknown person in the community 😉 ]

I agree staff should be easily identifiable when they post though.

Donald


IMPORTANT WARNING: This message is intended for the use of the person or entity to which it is addressed and may contain information that is privileged and confidential, the disclosure of which is governed by applicable law. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this information is strictly prohibited. Thank you for your cooperation.

Thank you, this is a good point. I will look into how we might best improve.  

Any ambiguous information can also be authenticated via the release notes here, by contacting your Customer Success rep, or reaching out to support@jamf.com

Aaron Kiemele
Chief Information Security Officer, Jamf

Thank you, this is a good point. I will look into how we might best improve.  

Any ambiguous information can also be authenticated via the release notes here, by contacting your Customer Success rep, or reaching out to support@jamf.com

Aaron Kiemele
Chief Information Security Officer, Jamf


Our IAs aren't going to accept "New Contributor III" as an official source of information.  Until this is in a KB, or you provide proof of your claimed credentials, I have asked customer support for the information in an verifiable authentic manner.

Hello Jamf Nation! Community Moderator, Calley here. Thank you for raising the concern about identifying our Jamf employees in our Jamf Nation Community. Today we began rolling out the employee role badge next to a Jamf employee's name. However, this is a rollout, so not every Jamf will have a badge today, and we appreciate your patience as we work toward this goal. In the meantime, if you do have questions regarding any community members' status, please reach out via DM, Slack me on MacAdmin, or email at jamfnation@jamf.com. 

Reply


Terms & ConditionsCookie settings