Posted on 12-23-2021 04:14 AM
New info this morning regaridng log4J. Version 2.15, included in the recent JAMF patch, is still vulnerable. When is a patch incoming?
Event Impact:
CVE-2021-45046 was originally believed to allow a denial of service in Log4J 2.15.0 if certain non-default configurations were used. Security researchers have since found ways to leverage this vulnerability to allow remote code execution.
Additional research on Log4J 2.15.0 also showed that previous mitigations (specifically setting system property log4j2.formatMsgNoLookups or environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true) did not provide sufficient protection as there are still code paths in Log4J where message lookups could occur.
Posted on 12-23-2021 05:26 AM
What version of Jamf are you running? 10.34.2 includes Log4j 2.16.0 and I think includes extra security settings.