Help

Is Jamf Pro affected by SpringShell vulnerability?

sist
New Contributor II

Posted on ‎03-30-2022 12:07 AM

Hi!

 

Today, a RCE 0-day vulnerability was discovered in SpringShell: 

https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html

It seems like Jamf is using the Spring framework

 

/usr/local/jss/tomcat/webapps/ROOT/WEB-INF/lib/spring-beans-5.3.9.jar

 

Is Jamf Pro affected by this vulnerability and if so, what is the recommended action?

 

 

0 Kudos
Reply
5 REPLIES 5

Aaron_Kiemele
Contributor
Contributor

Posted on ‎03-30-2022 03:33 PM

We are actively investigating this reported vulnerability. Though Jamf Pro does utilize the Spring Framework, we have not found any evidence that Jamf customers are affected in any way at this time.

Aaron Kiemele

Jamf, CISO

Reply

CalleyO
Contributor III

Posted on ‎03-31-2022 11:25 AM

Please review @Aaron_Kiemele more detailed post regarding this question. 

Reply

CrawfordRobson
New Contributor III

Posted on ‎04-01-2022 12:11 AM

Any other Jamf products are affected by CVE-2022-22965?
 
We use Jamf Pro, Jamf Protect, and Connect.
0 Kudos
Reply

CalleyO
Contributor III
In response to CrawfordRobson

Posted on ‎04-04-2022 06:18 AM

@CrawfordRobson Thanks for reposting your question on this thread.  

0 Kudos
Reply

piotrwawrzynek
New Contributor

Posted on ‎04-01-2022 06:57 AM

The same question like @CrawfordRobson  In Jamf Pro installation folder I see file : spring-beans-5.3.11.jar. In reference to the article : https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html?m=1 . It determine that application is potentiality vulnerability for spring4shell ... ?

0 Kudos
Reply