Is Jamf Pro affected by SpringShell vulnerability?

sist
New Contributor II

Hi!

 

Today, a RCE 0-day vulnerability was discovered in SpringShell: 

https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html

It seems like Jamf is using the Spring framework

 

/usr/local/jss/tomcat/webapps/ROOT/WEB-INF/lib/spring-beans-5.3.9.jar

 

Is Jamf Pro affected by this vulnerability and if so, what is the recommended action?

 

 

5 REPLIES 5

Aaron_Kiemele
Contributor
Contributor

We are actively investigating this reported vulnerability. Though Jamf Pro does utilize the Spring Framework, we have not found any evidence that Jamf customers are affected in any way at this time.

Aaron Kiemele

Jamf, CISO

CalleyO
Contributor III
Contributor III

Please review @Aaron_Kiemele more detailed post regarding this question. 

CrawfordRobson
New Contributor III
Any other Jamf products are affected by CVE-2022-22965?
 
We use Jamf Pro, Jamf Protect, and Connect.

@CrawfordRobson Thanks for reposting your question on this thread.  

piotrwawrzynek
New Contributor

The same question like @CrawfordRobson  In Jamf Pro installation folder I see file : spring-beans-5.3.11.jar. In reference to the article : https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html?m=1 . It determine that application is potentiality vulnerability for spring4shell ... ?