12-10-2021 07:00 PM - edited 12-12-2021 11:51 AM
Posted on 12-11-2021 05:38 AM
What's the status of the Jamf Pro Server Tools in this release? Do we need to reinstall a non-broken version?
Posted on 12-11-2021 07:53 AM
@bethjohnson No, 10.34.1 contains Jamf Pro Server Tools 2.7.11, so you do not need to reinstall anything.
Posted on 12-11-2021 08:30 AM
Just an idea.. Maybe throw the link to download the release here as well.
12-11-2021 11:21 AM - edited 12-11-2021 11:22 AM
https://account.jamf.com/products/jamf-pro
PS, read the update FYI regarding Server Tools version 2.7.11.
Posted on 12-11-2021 11:15 AM
Thanks for the fast zero-day mitigation. Plus, its raining here, so. 🙂
Posted on 12-11-2021 11:36 AM
Jamf...please preserve our session timeout in session.properties file...it gets reverted to default on every update. 🙂
Posted on 12-11-2021 07:39 PM
Note that contrary to the comment in the release notes: "This vulnerability poses a risk to private data. It does not have the potential to impact managed devices or the integrity and availability of your web server." - this does appear to allow RCE as the "jamftomcat" user.
Between looking for this update/remediation and deploying it, we discovered a Monero-miner bot dropped in /tmp, running as the jamftomcat user.
Given that the jamftomcat user has access to the DB, and is the owner of most of the executable files in a JSS deployment, I'd say that this absolutely DOES have "the potential to impact managed devices or the integrity and availability of your web server".
12-12-2021 11:05 AM - edited 12-12-2021 11:09 AM
Thanks you @iviemeister, we will update our release notes.
If you experience any issues with your Jamf Pro server please report it to technical support as soon as possible. Cloud instances sit behind a web application firewall that actively is filtering out malicious traffic. Anomaly detection tools are implemented and tested to verify that it catches and alerts on any concern that are raised. As always if you see an issue with an on premise Jamf Pro installation or Jamf Cloud please immediately reach out to support@jamf.com
Aaron Kiemele
Chief Information Security Officer, Jamf
Posted on 12-12-2021 11:18 AM
Hi @Aaron_Kiemele - the full details of what we found are in Case #: JAMF-3302240, opened last night.
12-12-2021 02:46 PM - edited 12-12-2021 02:47 PM
Hey is WAF implementation safe or are there ways to bypass, or Should we also update our Cloud Instance to 10.34.1 if possible?
https://twitter.com/bountyoverflow/status/1470001858873802754?s=21
Best Regards
colorenz
Posted on 12-12-2021 03:04 PM
While I cannot speak to individual cases, WAF is not sufficient alone, it should be used in conjunction with other layered security controls, proper configuration of the log4j2.formatMsgNoLookups parameter and/or a fully patched version such as 10.34.1. I would encourage you to reach out to support to discuss your individual case or refer to details described in primary thread for the issue.
Posted on 12-12-2021 03:23 PM
Thanks for you response.
We are in the Jamf Premium Cloud.
The question was: Is jamf detecting every attack ? Or is it possible to bypass your security Systems?
And should we schedule a update with the support to update to 10.34.1 as soon as possible?
Posted on 12-13-2021 07:46 AM
log4shell
^^^Just adding so it comes up in a search.
Posted on 12-17-2021 01:27 AM
I updated our Jamf Pro on premise server yesterday to 10.34.1. Was surprised, that still log4j version 2.15 will be installed, which is not 100% safe. Version 2.16 should be installed. (I manually installed it from the apache page after the Jamf update.)
Hopefully Jamf will include log4j 2.16 in their 10.34.1 package as soon as possible!
12-17-2021 06:46 AM - edited 12-17-2021 06:48 AM
Jamf confirmed the product isn’t affected by CVE-2021-45046, so 2.16 isn’t needed.
Posted on 12-17-2021 06:51 AM
Thanks for the quick release but seeing some GUI navigation issues with the on-prem version of 10.34.1. Specifically some back buttons in the GUI are not working and/or returning to other screens. Most notably viewing devices attached to a smart/group or an inventory report, the back button is not working in the GUI.