Posted on ‎06-20-2020 10:42 AM
This was shared on the MacAdmins Slack #jamfnation channel. It seems the communication didn't go out to everyone so I'm sharing here just in case:
We recently became aware of a security issue affecting version 10.22.0 of Jamf Pro. Jamf Pro 10.22.0 was made available for download for on-premise customers on June 16. This issue could allow for disclosure of configuration information. Depending on your deployed architecture, the risk could vary, but has been assessed in the default configuration as a CVSS 5.3 (Medium) severity.
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
We're reaching out to inform you that we have pulled the Jamf Pro 10.22.0 Installers from Jamf Nation this evening, and are contacting you as you have downloaded the Jamf Pro 10.22.0 Installers from Jamf Nation. If you have an upgrade for Jamf Pro 10.22.0 planned this weekend, we would advise postponing that upgrade at this time. If you have already upgraded to Jamf Pro 10.22.0, we suggest powering down Tomcat temporarily until a workaround or hotfix is made available.
Our Jamf Cloud customers will be receiving different communication in regards to the mitigations we have put in place for their servers. We apologize for any inconvenience and more information will be made available shortly.
Jamf
Posted on ‎06-20-2020 01:18 PM
This message was sent to customers who downloaded the installer. If you upgraded to Jamf Pro 10.22.0 and didn't get the above email, please open a case with support so that they can get you a fix.
I'm sure more details will be forthcoming once customers have patched.
Posted on ‎06-20-2020 01:26 PM
I hadn't downloaded 10.22 and yet I still received this email. The heads-up is appreciated.
Posted on ‎06-21-2020 09:56 AM
If you are impacted, open up a support case with Jamf to get the hot patch đź‘Ś