Jamf Pro 10.32.1 Release

kaylee_carlson
Contributor
Contributor

Hi Jamf Nation,

Today we're releasing a hotfix for Jamf Pro that addresses a recently responsibly disclosed security issue.

We strongly recommended that you upgrade to Jamf Pro 10.32.1 as soon as possible. The following CVE is addressed by this release:
[PI-010111]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40808

This is a placeholder CVE that will be updated once we can disclose more information. We have scored this at a 7.5 High security severity using CVSSv3.1 and recommend this update to all customers as this impacts all supported versions of Jamf Pro.  

Please read the resolved issues section of the release notes for more information. Additional details on the resolved vulnerability will be made available at a future date to allow for Jamf Pro instances to be patched before full disclosure.

Please note this does not affect the cloud upgrade schedule for this upcoming weekend. You can find the cloud upgrade schedule here.

 

Read the full release notes here.

29 REPLIES 29

BookstoreIT
New Contributor

What versions are affected prior to 10.32.1?? I have two installations. One running 10.32.0 and one running 10.30.3. I do not see "Affected Versions" listed anywhere.

+1

@BookstoreITAgreed.  Currently running 10.31.1 here and since it's startup time, I'd like to know how urgent this is for the version we are running.

Reeve
New Contributor II

I recall this happened last urgent security patch, didn't give the affected versions right away and we had to ask for it.

AJPinto
Honored Contributor II

Samy boat as everyone else here. We are still running 10.26 and there is no word of what versions are effected. We plan on upgrading next month but it would be nice to know how urgent the upgrade is.

mike_paul
Contributor III
Contributor III

We recommend this upgrade for all users as this issue impacts all supported versions of Jamf Pro.  

This is helpful but should have been in the disclosure. Thank you.

cjavallas
New Contributor

Im waiting on a chat to ask and I'll post replies

 

ncats_lab
New Contributor III

There is no information in that CVE. What is the vulnerability - nothing is shown.

We intentionally do not populate the CVE with the information initially as that would disclose the issue which would put people not patched at risk.  

Once customers have ample amount of time to upgrade to the patched version we will update the CVE entry with more information. This time period varies depending on customer adoption.  

At this point all we can disclose here is its a security issue that we have ranked at a 7.5 High severity and that it impacts all supported versions of Jamf Pro.  There are a few more details that will be shared via email from Customer Success but the crux of the info is that it's a high security severity that is only fixable via upgrading Jamf Pro.  

ncats_lab
New Contributor III

@mike_paul , thank you for the reply. I understand the security concern, however I also agree with the folks below that customers should have some awareness of what result of an exploit would be at the very least.

If the cloud based version of Jamf Pro isn't being updated until this weekend, why should we as on-prem support upgrade ahead of you guys?

@BadinChuck, Jamf Cloud mass upgrades are scheduled in advance so customers know when services may be unavailable.  If a cloud customer wishes to upgrade sooner they just need to reach out to Customer Success.  Since we have no control over when customers who host their own instances update we provide the installer immediately and just ask that they do it at their earliest convenience to best protect themselves from risks.  

santoroj
New Contributor III

Agreed @ncats_lab customers knowing the vulnerability is key. Maybe not publicly disclosing the vuln. is a security measure, but we should be made aware of it. 

cjavallas
New Contributor

From JAMF:  

I am guessing this has to do with complexity of the issue, or not wishing to alarm the general public, but that is just a guess on my part. We were not told the details of the specific vulnerability either but just simply that upgrade is recommended wherever/whenever possible

BadinChuck
New Contributor

Agreed, we as customers should be informed what is addressed, what versions have the issue, which server OS is effected (i.e. Mac Server, Windows etc.)

jrippy
Contributor II

How do you download the releases now in the new Jamf Nation interface?

ITHoneyBadger
New Contributor III

You have to go to account.jamf.com

 

So, it's not just linked from my profile anymore, but I have to go there?

 

ITHoneyBadger
New Contributor III

As far as I know it is not.  I could be wrong.  The only way I've been able to get to it since they updated the forums was that page.

Ok.  That stinks they removed that link, but thank you for the information!

santoroj
New Contributor III

Yes everything was moved there to here 

joseph_thompson
New Contributor

Are we waiting for the update cycle to get out cloud instances upgraded? Or will the hotfix be pushed out today?

I reached out to success@ early in the day and still have no response.

@joseph_thompson All standard hosting Jamf Cloud will be updated to 10.32.1 this weekend unless it's otherwise requested by the customer.  If you put in a request this morning you should expect a response soon and they will be able to upgrade you ahead of schedule if that is your request.  

inflicted
New Contributor II

Is this related to the forcedentry vulnerability?

@inflicted, No, the hot fix above is to resolve the Jamf product issue PI-010111.  

The forcedentry vulnerability is related to Apple OS functionality.  More information on their recent updates can be found at Apple: https://support.apple.com/en-ca/HT212807 & https://support.apple.com/en-us/HT212804

It is recommended that people update to versions recommended by vendors to resolve the issues.  

Claude7004
New Contributor

It looks like this release, according to the release notes, patches 3 serious IndigoCard security vulnerabilities. Why is that not addressed up-front either in this post or why was no notice sent out about the vulnerabilities like the notice that was sent for the 10.30.1 release?

As much as I don't like it (I agree with you @Claude7004 that it should be addressed up front), I can at least explain their logic.

When they discover a severe vulnerability, they put out a patch and hide the details hoping they can get the community (i.e. not JamfCloud) upgraded to a point where, when the details are released, the possibility of compromise is reduced or not existent.

Again, it sucks b/c you don't know the details of what this affects, especially if you have to run the update through a change management process.

@Claude7004 There was one vulnerability that was addressed in this 10.32.1 release and three addressed in the 10.32 release to which we posted updates here in Jamf Nation and also sent communication via email. If you did not receive an email communication, please contact customers success at success@jamf.com