Jamf Nation Community

JenK · ‎12-10-2021

Hello Jamf Nation,

Today we're releasing an update for Jamf Pro that addresses critical security issue CVE-2021-44228. For details on how we’re addressing this vulnerability across the Jamf platform, please see this Jamf Nation post.

We strongly recommend that you upgrade to Jamf Pro 10.34.1 as soon as possible.

Please read the resolved issues section of the release notes for more information. Additional details on the resolved vulnerability will be made available on a future date to allow for Jamf Pro instances to be updated before full disclosure.

Please note that this only impacts Jamf Pro environments hosted on-premises. Customers utilizing our cloud-based products have had the vulnerability mitigated through appropriate security controls.

We will also be sending this information via email to primary technical contacts at affected organizations.

Update:

The bug fix description for PI-010403 in the release notes has been updated to reflect recently discovered information.

bethjohnson · ‎12-11-2021

What's the status of the Jamf Pro Server Tools in this release? Do we need to reinstall a non-broken version?

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"You do not rise to the level of your goals; you fall to the level of your systems." James Clear

david_brazeau · ‎12-11-2021

@bethjohnson No, 10.34.1 contains Jamf Pro Server Tools 2.7.11, so you do not need to reinstall anything.

user-KMLLovVGkW · ‎12-11-2021

Just an idea.. Maybe throw the link to download the release here as well.

donmontalvo · ‎12-11-2021

https://account.jamf.com/products/jamf-pro

PS, read the update FYI regarding Server Tools version 2.7.11.

--
https://donmontalvo.com

donmontalvo · ‎12-11-2021

Thanks for the fast zero-day mitigation. Plus, its raining here, so. 🙂

--
https://donmontalvo.com

donmontalvo · ‎12-11-2021

Jamf...please preserve our session timeout in session.properties file...it gets reverted to default on every update. 🙂

--
https://donmontalvo.com

iviemeister · ‎12-11-2021

Note that contrary to the comment in the release notes: "This vulnerability poses a risk to private data. It does not have the potential to impact managed devices or the integrity and availability of your web server." - this does appear to allow RCE as the "jamftomcat" user.

Between looking for this update/remediation and deploying it, we discovered a Monero-miner bot dropped in /tmp, running as the jamftomcat user.

Given that the jamftomcat user has access to the DB, and is the owner of most of the executable files in a JSS deployment, I'd say that this absolutely DOES have "the potential to impact managed devices or the integrity and availability of your web server".

Aaron_Kiemele · ‎12-12-2021

Thanks you @iviemeister, we will update our release notes.

If you experience any issues with your Jamf Pro server please report it to technical support as soon as possible. Cloud instances sit behind a web application firewall that actively is filtering out malicious traffic. Anomaly detection tools are implemented and tested to verify that it catches and alerts on any concern that are raised. As always if you see an issue with an on premise Jamf Pro installation or Jamf Cloud please immediately reach out to support@jamf.com

Aaron Kiemele
Chief Information Security Officer, Jamf

iviemeister · ‎12-12-2021

Hi @Aaron_Kiemele - the full details of what we found are in Case #: JAMF-3302240, opened last night.

colorenz · ‎12-12-2021

Hey is WAF implementation safe or are there ways to bypass, or Should we also update our Cloud Instance to 10.34.1 if possible?

https://twitter.com/bountyoverflow/status/1470001858873802754?s=21

Best Regards
colorenz

Aaron_Kiemele · ‎12-12-2021

While I cannot speak to individual cases, WAF is not sufficient alone, it should be used in conjunction with other layered security controls, proper configuration of the log4j2.formatMsgNoLookups parameter and/or a fully patched version such as 10.34.1. I would encourage you to reach out to support to discuss your individual case or refer to details described in primary thread for the issue.

colorenz · ‎12-12-2021

Thanks for you response.

We are in the Jamf Premium Cloud.

The question was: Is jamf detecting every attack ? Or is it possible to bypass your security Systems?

And should we schedule a update with the support to update to 10.34.1 as soon as possible?

donmontalvo · ‎12-13-2021

log4shell

^^^Just adding so it comes up in a search.

--
https://donmontalvo.com

hansjoerg_watzl · ‎12-17-2021

I updated our Jamf Pro on premise server yesterday to 10.34.1. Was surprised, that still log4j version 2.15 will be installed, which is not 100% safe. Version 2.16 should be installed. (I manually installed it from the apache page after the Jamf update.)

Hopefully Jamf will include log4j 2.16 in their 10.34.1 package as soon as possible!

donmontalvo · ‎12-17-2021

Jamf confirmed the product isn’t affected by CVE-2021-45046, so 2.16 isn’t needed.

--
https://donmontalvo.com

jracosta · ‎12-17-2021

Thanks for the quick release but seeing some GUI navigation issues with the on-prem version of 10.34.1. Specifically some back buttons in the GUI are not working and/or returning to other screens. Most notably viewing devices attached to a smart/group or an inventory report, the back button is not working in the GUI.

Jamf Nation Community

Jamf Pro 10.34.1 Release Now Available