New info this morning regaridng log4J. Version 2.15, included in the recent JAMF patch, is still vulnerable. When is a patch incoming?
CVE-2021-45046 was originally believed to allow a denial of service in Log4J 2.15.0 if certain non-default configurations were used. Security researchers have since found ways to leverage this vulnerability to allow remote code execution.
Additional research on Log4J 2.15.0 also showed that previous mitigations (specifically setting system property log4j2.formatMsgNoLookups or environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true) did not provide sufficient protection as there are still code paths in Log4J where message lookups could occur.
JAMFs last update was to run Log4Shell 2.16.
2.17 was released a few days after JAMF advised to update to 2.16. JAMF Seems pretty insistent that the issues patched in 2.17 do not impact JAMF. However, with how much JAMF has backtracked on the multiple "this does not effect us" statements take this how you will. I have been running 2.17 without any issues, but this is not a recommendation from me for you to update. If you go out of band you are on your own for support but that is a risk I am willing to take.
This is how JAMF was communicating with us on Log4Shell, a bit out of normal for them but it is what it is. They have since resolved this post.