Hi Jamf Nation,
Today we're releasing a hotfix for Jamf Pro that addresses a recently responsibly disclosed security issue.
We strongly recommended that you upgrade to Jamf Pro 10.32.1 as soon as possible. The following CVE is addressed by this release:
This is a placeholder CVE that will be updated once we can disclose more information. We have scored this at a 7.5 High security severity using CVSSv3.1 and recommend this update to all customers as this impacts all supported versions of Jamf Pro.
Please read the resolved issues section of the release notes for more information. Additional details on the resolved vulnerability will be made available at a future date to allow for Jamf Pro instances to be patched before full disclosure.
Please note this does not affect the cloud upgrade schedule for this upcoming weekend. You can find the cloud upgrade schedule here.
Read the full release notes here.
We intentionally do not populate the CVE with the information initially as that would disclose the issue which would put people not patched at risk.
Once customers have ample amount of time to upgrade to the patched version we will update the CVE entry with more information. This time period varies depending on customer adoption.
At this point all we can disclose here is its a security issue that we have ranked at a 7.5 High severity and that it impacts all supported versions of Jamf Pro. There are a few more details that will be shared via email from Customer Success but the crux of the info is that it's a high security severity that is only fixable via upgrading Jamf Pro.
@BadinChuck, Jamf Cloud mass upgrades are scheduled in advance so customers know when services may be unavailable. If a cloud customer wishes to upgrade sooner they just need to reach out to Customer Success. Since we have no control over when customers who host their own instances update we provide the installer immediately and just ask that they do it at their earliest convenience to best protect themselves from risks.
@joseph_thompson All standard hosting Jamf Cloud will be updated to 10.32.1 this weekend unless it's otherwise requested by the customer. If you put in a request this morning you should expect a response soon and they will be able to upgrade you ahead of schedule if that is your request.
@inflicted, No, the hot fix above is to resolve the Jamf product issue PI-010111.
The forcedentry vulnerability is related to Apple OS functionality. More information on their recent updates can be found at Apple: https://support.apple.com/en-ca/HT212807 & https://support.apple.com/en-us/HT212804
It is recommended that people update to versions recommended by vendors to resolve the issues.