Jamf Pro 10.34.1 Release Now Available

What's the status of the Jamf Pro Server Tools in this release? Do we need to reinstall a non-broken version?

@bethjohnson No, 10.34.1 contains Jamf Pro Server Tools 2.7.11, so you do not need to reinstall anything.

Just an idea.. Maybe throw the link to download the release here as well.

Thanks for the fast zero-day mitigation. Plus, its raining here, so. 🙂

https://account.jamf.com/products/jamf-pro

PS, read the update FYI regarding Server Tools version 2.7.11.

Jamf...please preserve our session timeout in session.properties file...it gets reverted to default on every update. 🙂

Note that contrary to the comment in the release notes: "This vulnerability poses a risk to private data. It does not have the potential to impact managed devices or the integrity and availability of your web server." - this does appear to allow RCE as the "jamftomcat" user.

Between looking for this update/remediation and deploying it, we discovered a Monero-miner bot dropped in /tmp, running as the jamftomcat user.

Given that the jamftomcat user has access to the DB, and is the owner of most of the executable files in a JSS deployment, I'd say that this absolutely DOES have "the potential to impact managed devices or the integrity and availability of your web server".

Thanks you @iviemeister, we will update our release notes. 

If you experience any issues with your Jamf Pro server please report it to technical support as soon as possible. Cloud instances sit behind a web application firewall that actively is filtering out malicious traffic. Anomaly detection tools are implemented and tested to verify that it catches and alerts on any concern that are raised. As always if you see an issue with an on premise Jamf Pro installation or Jamf Cloud please immediately reach out to support@jamf.com

Aaron Kiemele
Chief Information Security Officer, Jamf

Hi @Aaron_Kiemele - the full details of what we found are in Case #: JAMF-3302240, opened last night.

Hey is WAF implementation safe or are there ways to bypass, or Should we also update our Cloud Instance to 10.34.1 if possible?

https://twitter.com/bountyoverflow/status/1470001858873802754?s=21 

Best Regards
colorenz

While I cannot speak to individual cases, WAF is not sufficient alone, it should be used in conjunction with other layered security controls, proper configuration of the log4j2.formatMsgNoLookups parameter and/or a fully patched version such as 10.34.1. I would encourage you to reach out to support to discuss your individual case or refer to details described in primary thread for the issue. 

Thanks for you response.

We are in the Jamf Premium Cloud.

The question was: Is jamf detecting every attack ? Or is it possible to bypass your security Systems?

And should we schedule a update with the support to update to 10.34.1 as soon as possible?

log4shell

^^^Just adding so it comes up in a search.

I updated our Jamf Pro on premise server yesterday to 10.34.1. Was surprised, that still log4j version 2.15 will be installed, which is not 100% safe. Version 2.16 should be installed. (I manually installed it from the apache page after the Jamf update.)

Hopefully Jamf will include log4j 2.16 in their 10.34.1 package as soon as possible!

Jamf confirmed the product isn’t affected by CVE-2021-45046, so 2.16 isn’t needed. 

Thanks for the quick release but seeing some GUI navigation issues with the on-prem version of 10.34.1. Specifically some back buttons in the GUI are not working and/or returning to other screens. Most notably viewing devices attached to a smart/group or an inventory report, the back button is not working in the GUI.