Note that contrary to the comment in the release notes: "This vulnerability poses a risk to private data. It does not have the potential to impact managed devices or the integrity and availability of your web server." - this does appear to allow RCE as the "jamftomcat" user.
Between looking for this update/remediation and deploying it, we discovered a Monero-miner bot dropped in /tmp, running as the jamftomcat user.
Given that the jamftomcat user has access to the DB, and is the owner of most of the executable files in a JSS deployment, I'd say that this absolutely DOES have "the potential to impact managed devices or the integrity and availability of your web server".
Thanks you @iviemeister, we will update our release notes.
If you experience any issues with your Jamf Pro server please report it to technical support as soon as possible. Cloud instances sit behind a web application firewall that actively is filtering out malicious traffic. Anomaly detection tools are implemented and tested to verify that it catches and alerts on any concern that are raised. As always if you see an issue with an on premise Jamf Pro installation or Jamf Cloud please immediately reach out to email@example.com
Chief Information Security Officer, Jamf
Hey is WAF implementation safe or are there ways to bypass, or Should we also update our Cloud Instance to 10.34.1 if possible?
While I cannot speak to individual cases, WAF is not sufficient alone, it should be used in conjunction with other layered security controls, proper configuration of the log4j2.formatMsgNoLookups parameter and/or a fully patched version such as 10.34.1. I would encourage you to reach out to support to discuss your individual case or refer to details described in primary thread for the issue.
I updated our Jamf Pro on premise server yesterday to 10.34.1. Was surprised, that still log4j version 2.15 will be installed, which is not 100% safe. Version 2.16 should be installed. (I manually installed it from the apache page after the Jamf update.)
Hopefully Jamf will include log4j 2.16 in their 10.34.1 package as soon as possible!
Thanks for the quick release but seeing some GUI navigation issues with the on-prem version of 10.34.1. Specifically some back buttons in the GUI are not working and/or returning to other screens. Most notably viewing devices attached to a smart/group or an inventory report, the back button is not working in the GUI.