Help

Apache Commons Text Vulnerability

Aaron_Kiemele
Contributor
Contributor

‎10-18-2022 02:11 PM - edited ‎11-02-2022 12:15 PM

We recently became aware of a Java vulnerability in the Apache Commons Text library [CVE-2022-42889] that could allow for code injection by a malicious actor. While Jamf Pro, Jamf Now, Jamf School, Jamf Threat Defense, Jamf Data Policy, Infrastructure Manager, and Jamf Private Access do utilize this library, a thorough review has shown that these products are not vulnerable to this attack.

 

Although the products themselves are not vulnerable to this attack, upcoming releases of Jamf Pro, Jamf Now, Jamf School, Jamf Threat Defense, Jamf Data Policy, Infrastructure Manager, and Jamf Private Access will contain updates to this vulnerable library.

 

If you have any questions or experience any issues during this process, contact Jamf Support for assistance.

 

Aaron Kiemele

CISO, Jamf

Reply
2 REPLIES 2

donmontalvo
Esteemed Contributor III

‎11-03-2022 08:33 AM - edited ‎11-05-2022 04:37 AM

I just got pulled into a call regarding CVE-2022-42889 so perfect timing.

--
https://donmontalvo.com
0 Kudos
Reply

bentoms
Release Candidate Programs Tester

Posted on ‎11-04-2022 02:04 AM

https://community.jamf.com/t5/jamf-nation/apache-commons-text-vulnerability/m-p/276032

For additional clarity, as our CISO Aaron Kiemele mentioned in this post specifically about CVE-2022-42889, all of our Jamf products that use the Apache Commons Text library, including Jamf Pro, are not at risk to the vulnerability based on our configurations.  This is still the case. But since we were doing another release to help customers impacted by PI110632 we figured we'd include the updated Apache Commons Text library since it still shows up on many customers own security scanning software.

Thank you 
Mike Paul
Jamf Product Security Engineer

 

 

Reply