Jamf Pro 10.22.0 Security Issue


6/24/20 Update

Hi Jamf Nation,

I want to provide a brief update following the security issue last weekend. Whether you are a Standard Cloud, Premium Cloud, or on-premises customer, you should have heard from our team via email with an update on how your instance was protected - in the case of cloud instances - or with instructions about how to mitigate the issue yourself - in the case of on-prem. Today we announced the availability of Jamf Pro 10.22.1, a new version that permanently fixes the security issue present in 10.22.0. In other words, no mitigation steps will be required for future versions - you’re covered.

Standard Cloud
This weekend’s maintenance window will be used to upgrade Standard Cloud instances to 10.22.1. You can view the cloud schedule here.

Premium Cloud customers are welcome to upgrade at your convenience by contacting success@jamf.com.

On-premises customers can grab the new version now on the My Assets page in Jamf Nation. If you have any questions or need additional assistance, don’t hesitate to contact Jamf Support.

6/20/20 Original Message

We recently became aware of an issue affecting Jamf Pro 10.22.0 that could allow for the disclosure of configuration information. In a Jamf Pro instance using a default configuration, this is assessed to be a CVSS 5.3 (Medium) severity issue.

To protect your Jamf Pro instance, we have taken a number of steps:

Jamf Cloud:
No additional action is needed at this time. A new version of Jamf Pro is expected in the near future.

Standard Cloud customers in the Sydney (ap-southeast-2), Tokyo (ap-northeast-1), and Frankfurt (eu-central-1) regions were upgraded to 10.22.0 during the maintenance window and mitigation has since been put in effect. All Tomcat instances are now online.

Standard Cloud customers in the United States and London (eu-west) regions were not upgraded and instances remain on 10.21.0, which is not affected by this security issue.

Mitigation steps are strongly recommended for customers with on-premises instances running Jamf Pro 10.22.0. Instructions on how to mitigate this issue were emailed to account technical and decision maker contacts on Saturday, June 20th. If you did not receive an email, please contact Jamf Support.

Next Steps:
If you have any questions or experience any issues during this process, contact Jamf Support for assistance.

Aaron Kiemele