Jamf Nation Community

---

@swapple wrote:

tough time to take out the cloud when people are also trying to remediate log4j with Jamf. Hope this includes a way for Jamf to detect 3rd party log4j issues.

---

they added this to Jamf Protect this week - "SuspiciousJavaActivity
This analytic will show when the curl command or an interactive bash shell is executed under Java. To date these are the most common actions being taken by successful log4j exploits. These actions might also be performed by legitimate Java applications in your environment. It is up to the analyst to determine if the detected application should be performing these actions."

But did the figure this out 2 seconds before they did the update so there was no choice but to kick everyone working in Jamf out??  No time to schedule it? No notifications???  

We understand the need to do it. The method has destroyed a lot of confidence in Jamf that it was done with very little notice.

I don't know what you're complaining about. They sent out a mail during my lunch break, 20 mins before they kicked it off, outlining an undefined start time of "soon", and with no expected completion time. lol.  

Communication was sent via email, prior to the change being implemented.

Thats a terrible reply and look at the situation. Giving a heads up 20 minutes before taking the instance out is not acceptable by any means unless they actively noticed an attack ongoing. Most of us were hit in the middle of the day with no warning, I don't check my email every minute, as my workflow does not allow for this. Taking down an instance with close to no warning is unacceptable in every sense of the word. While you are technically correct, the issue is not whether or not an email or communication went out. But the shoddy and terrible timing and effects it had for those of us caught with little to no warning. Don't be so glib with your response, just because you may not have been effected, doesn't mean the rest of us weren't.

Never claimed I wasn't affected and never claimed anyone else was. I merely stated communication was sent out. Also, you bring up a good point, that to my knowledge has not been determined or at least publicly communicated: that is that none of us know whether an attack was active or not. Don't be so quick to rush to conclusions is merely all i was trying to infer with my factual response.

I agree with your last part, and understand where you are coming from as your answer was technically correct, but as you can see from the myriad of responses here, the timing and execution was terrible. Even taking that into account, the communication was also incredibly poor. The response you are posting on this thread (in a few locations) just comes off as a little tone deaf considering the impact it had on a lot of us. I meant no attack or disrespect by any means, so I apologize if it comes off that way, but there were a lot of issues introduced to our environment due to computers being knocked offline (server connections) during usage that we are still trying to get resolved

I certainly understand, we were in the middle of testing some detection scripts for log4j and poof, gone. I thought it would be around an hour tops, but nope, quite an extended outage. I understand the pain, but also want to cut JAMF some slack in the sense that I've not seen anything else like this in the 5 or so years I've been a customer and due to the severity of the vulnerability/the unknown of whether there was an actual attack in place.

You do bring up a good point, Jamf has been fairly solid overall, and frankly their patch policy has been on the better end of companies I use. I think this is one of those "I'm frustrated at the situation" kind of things. Especially given the impact and timing, not just in the day/week, but just right before the holidays, with some folks having smaller crews, etc. My thoughts are they had an active attack or proof of one that happened since the last patch (if I remember correctly there were 2 in a short window) but either way. Sorry for the post venting, and hope you have a happy holiday season!

All valid points for venting 🙂 Merry Christmas Friend and a Happy New Year!

Email communication was sent prior to start 

sorry but 20 min before taking it down when a previous email stated nothing needed to be done is just crazy and would be viewed as completely not okay in any corp environment. 

an emergency change control for an active exploited attack like this is acceptable to me as a customer especially considering the repercussions if said attack would have been successful.

Eighteen hours??? 😱 Oh no...