Skip to main content

Hi Jamf Nation,

Apache Tomcat recently announced a security fix for a high-severity vulnerability in their product. Because Jamf Pro requires Apache Tomcat and security is of utmost importance, we are passing on the following information so that you can take steps to mitigate the vulnerability if you have an on-premise environment.

Please note: This issue does not impact Jamf Pro instances hosted in Jamf Cloud or other Jamf products. This issue only impacts on-premise Jamf Pro customers.

We recommend immediate mitigation via one of the following actions:
1. Comment out the AJP Connector in server.xml and restart the Jamf Pro Tomcat service
2. Add a rule on your firewall to disable inbound connections to the Jamf Pro server on port 8009

Additional information about this vulnerability is available in Apache’s release notes.

If you have questions, please email success@jamf.com. For assistance mitigating this issue in your environment, please contact Jamf Support.

@seabash ,@levans Thank you for the help, I will try this out and let you know.

Jennifer

Do we have a definitive answer on this?

@mhegge I've done 4 5 servers thus far (10/18.0 & 10.19.0) by just editing the server.xml file. Done on both Windows server 2012r2 and macOS Mojave. I did the following:

  1. Backup the server.xml file for starters (/Library/JSS/Tomcat/conf/server.xml on macOS and /Program Files/JSS/Tomcat/conf/server.xml on Windows)
  2. Run Notepad.exe as Administrator (or do a $ sudo nano /Library/JSS/Tomcat/conf/server.xml in Terminal on the macOS)
  3. Edit the file (commenting out the line listed above), then Save
  4. Restart Tomcat service (unload and load the launchdaemon on macOS)
  5. Validate server was back up and running successfully.

Pretty dang easy stuff here. Doing the production server in the AM. No issues whatsoever. Jamf confirmed there are no ill-side-effects by doing this as well.

Just upgraded to Jamf Pro 10.19 (planned) this morning, and then bounced the servers with the modified server.xml file. No issues. Port 8009 wasn't even open inbound to our DMZ nodes, but better to be safe than sorry.

To everybody that has problems after commenting out that line: You are most likely facing a feature on xml that does not allow nested comments. So make sure you only comment out that one line, or simply remove it, do not try to span your comment including the comment above the line in question. I fell into the same trap ...good that I can still learn a bit from my mistakes...

Thank you for pointing that out.
After commenting out the line, my Tomcat didn't come back up again (Jamf Server itself had no issue though). Only after removing the line completely (after having copied the server.xml file of course for a backup), it worked.

@jules1987 I had the same issue and after removing the entire line instead of commenting it out it worked for me as well. Strange. I'm a bit new to Linux administration so I wonder why that would be.

One more thing we noticed today. jamf-pro database config list is all not configured. We have added max connection to 100 (a little excessive for two servers), and max buffer size to 2GB.

We had one big crash today, had to take everything offline to bring back online. So far, stable. Fingers crossed.

Let me know if you want me to pull any log for you ahead of the WebEx.

Thank you.

The comment out worked fine on my clustered Jamf 10.19 Windows 2012R2 hosted environment!

@nstrauss Your instructions were perfect!

Performed this after business hours in my clustered/hosted environment.

@mschroder, @mhegge; the line in question should be around line 79 in the server.xml file. It should look like this:

<!-- Connector URIEncoding="UTF-8" port="8009" protocol="AJP/1.3" redirectPort="8443" /> -->

Note the comment at the beginning and the end (which I have bolded, but the preview doesn't look much more emphasized). Apparently we cannot span these (that is, open a comment on one line and use it for multiple lines). Each comment must be its own line, with its own open and close syntax

EDIT: Also wanted to share my experience on this. We did the comment, after reading up here that spanning comments is a no-go.

We restarted Tomcat, waited about 10 minutes, trying to login to JAMF every couple minutes. No go, so we thought it might be the MySQL instance needing to be restarted. Got an error for a null table, which baffled us, and led us down a bit of a rabbit hole to fix it (we didn't make any changes to the database).

Restarted Tomcat a second time, and it immediately came up. So for anyone hitting any error, you can try to restart the MySQL and/or Tomcat a few times, it should eventually connect up as it should. At least for JAMF 10.17, in my case.

@damienbarrett wrote:

Never mind. I'm an idiot. I thought I was commenting out the line but wasn't. Too early; need caffeine.

Here ya go:

caffeinate -id “@damienbarrett”

#tongueInCheek

We are still failing security scans.

I have been asked to expose our Jamf Pro application to the internet so that our WFH employees can get updates. My plan is to use an Apache server in the DMZ to proxy redirect to the Jamf server inside our firewall. Oh, and we are running Jamf Pro 10.9.0. Since the AJP protocol is necessary for proxy redirects, I assume Jamf won't work if I comment out the line in server.xml.
@Jamf Employees: What do you recommend I do? We installed Tomcat bundled with Jamf. What version of JAMF fixes the AJP vulnerability in Tomcat?

@mh53j_fe If you're not opening port 8009 to the outside world on your firewall this shouldn't be an issue for you.

Terms & ConditionsCookie settings