Jamf Pro: 10.22.0: CVSS 5.3 (Medium) severity

bpavlov
Honored Contributor

This was shared on the MacAdmins Slack #jamfnation channel. It seems the communication didn't go out to everyone so I'm sharing here just in case:

We recently became aware of a security issue affecting version 10.22.0 of Jamf Pro. Jamf Pro 10.22.0 was made available for download for on-premise customers on June 16. This issue could allow for disclosure of configuration information. Depending on your deployed architecture, the risk could vary, but has been assessed in the default configuration as a CVSS 5.3 (Medium) severity.

https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

We're reaching out to inform you that we have pulled the Jamf Pro 10.22.0 Installers from Jamf Nation this evening, and are contacting you as you have downloaded the Jamf Pro 10.22.0 Installers from Jamf Nation. If you have an upgrade for Jamf Pro 10.22.0 planned this weekend, we would advise postponing that upgrade at this time. If you have already upgraded to Jamf Pro 10.22.0, we suggest powering down Tomcat temporarily until a workaround or hotfix is made available.

Our Jamf Cloud customers will be receiving different communication in regards to the mitigations we have put in place for their servers. We apologize for any inconvenience and more information will be made available shortly.

Jamf

3 REPLIES 3

ericjboyd
Contributor

This message was sent to customers who downloaded the installer. If you upgraded to Jamf Pro 10.22.0 and didn't get the above email, please open a case with support so that they can get you a fix.

I'm sure more details will be forthcoming once customers have patched.

bradtchapman
Valued Contributor II

I hadn't downloaded 10.22 and yet I still received this email. The heads-up is appreciated.

lars0n
New Contributor II

If you are impacted, open up a support case with Jamf to get the hot patch đź‘Ś