Jamf Pro 10.34.2 Now Available

kaylee_carlson
Contributor
Contributor
Hello Jamf Nation,
 
Today we're releasing an update for Jamf Pro that addresses critical security issues CVE-2021-44228 and CVE-2021-45046. For details on how we’re addressing these vulnerabilities across the Jamf platform, please see this Jamf Nation post. Because keeping our customers’ environments secure is of the utmost importance, we’ll continue to be very intentional about when and how we communicate. 
 
We strongly recommend that you upgrade to Jamf Pro 10.34.2 as soon as possible. Customers utilizing our cloud-based products have had the vulnerability mitigated through layered security controls. We are confident that these mitigations are effective against all known attacks. Out an abundance of caution, we are releasing Jamf Pro 10.34.2 to include log4j 2.16 and mitigate all currently known log4j vulnerabilities.
 
Please read the resolved issues section of the release notes for more information. Additional details on the resolved vulnerability will be made available on a future date to allow for Jamf Pro instances to be updated before full disclosure.
 
 
We will also be sending this information via email to primary technical contacts at affected organizations.
 
Thank you!
49 REPLIES 49

swapple
Contributor III

tough time to take out the cloud when people are also trying to remediate log4j with Jamf. Hope this includes a way for Jamf to detect 3rd party log4j issues.


@swapple wrote:

tough time to take out the cloud when people are also trying to remediate log4j with Jamf. Hope this includes a way for Jamf to detect 3rd party log4j issues.


they added this to Jamf Protect this week - "SuspiciousJavaActivity
This analytic will show when the curl command or an interactive bash shell is executed under Java. To date these are the most common actions being taken by successful log4j exploits. These actions might also be performed by legitimate Java applications in your environment. It is up to the analyst to determine if the detected application should be performing these actions."

But did the figure this out 2 seconds before they did the update so there was no choice but to kick everyone working in Jamf out??  No time to schedule it? No notifications???  

We understand the need to do it. The method has destroyed a lot of confidence in Jamf that it was done with very little notice.

bgrant11
New Contributor III

I don't know what you're complaining about. They sent out a mail during my lunch break, 20 mins before they kicked it off, outlining an undefined start time of "soon", and with no expected completion time. lol.  

user-ZUPgxRGAaX
New Contributor

any ideas on ETA? This literally went down as we are enrolling several devices for EOD delivery 

ShadowGT
New Contributor III

Was there communication or notice for the cloud maintenance? The previous release note said that the cloud instance was mitigated already. Why are we doing this during the day now and not when 10.34.2 was first released? This action has disturbed my works on remediating Log4J with my security dept and my companies Mac and iOS provisioning. 

atomczynski
Valued Contributor

@ShadowGT 

I believe the original patch secured for version .15 which we have learned introduced their own vulnerabilities which version .16 patches.

ShadowGT
New Contributor III

@atomczynski That makes sense and thank you for the info,  but I'm more concerned about the unscheduled maintenance downtime during working hours.

skelllter
New Contributor II

This is unfortunate timing on the maintenance period. ETA please?

MikeyJAP
New Contributor II

Agree here, the maintenance period should had been communicated before it even started.

TimWeed
New Contributor

No access to admin console. This is a major disruption to my hospital operations!

atomczynski
Valued Contributor

All good valid points.

I do belive they either saw it already being exploited or weighted the potential risk in future scheduling vs an operations disruptions and decided to go with the route they did.

CommandShiftK
New Contributor III

The timing kinda stinks, I was in the middle of a Tanium agent update deployment to my fleet...

andyinindy
Contributor II

This is completely unacceptable. Zero communication of a "scheduled" maintenance in the middle of the work day? If any of us did this, we'd be shown the door. There had better be a good explanation for this. 

Communication was sent via email, prior to the change being implemented.

Thats a terrible reply and look at the situation. Giving a heads up 20 minutes before taking the instance out is not acceptable by any means unless they actively noticed an attack ongoing. Most of us were hit in the middle of the day with no warning, I don't check my email every minute, as my workflow does not allow for this. Taking down an instance with close to no warning is unacceptable in every sense of the word. While you are technically correct, the issue is not whether or not an email or communication went out. But the shoddy and terrible timing and effects it had for those of us caught with little to no warning. Don't be so glib with your response, just because you may not have been effected, doesn't mean the rest of us weren't.

Never claimed I wasn't affected and never claimed anyone else was. I merely stated communication was sent out. Also, you bring up a good point, that to my knowledge has not been determined or at least publicly communicated: that is that none of us know whether an attack was active or not. Don't be so quick to rush to conclusions is merely all i was trying to infer with my factual response.

I agree with your last part, and understand where you are coming from as your answer was technically correct, but as you can see from the myriad of responses here, the timing and execution was terrible. Even taking that into account, the communication was also incredibly poor. The response you are posting on this thread (in a few locations) just comes off as a little tone deaf considering the impact it had on a lot of us. I meant no attack or disrespect by any means, so I apologize if it comes off that way, but there were a lot of issues introduced to our environment due to computers being knocked offline (server connections) during usage that we are still trying to get resolved

I certainly understand, we were in the middle of testing some detection scripts for log4j and poof, gone. I thought it would be around an hour tops, but nope, quite an extended outage. I understand the pain, but also want to cut JAMF some slack in the sense that I've not seen anything else like this in the 5 or so years I've been a customer and due to the severity of the vulnerability/the unknown of whether there was an actual attack in place.

You do bring up a good point, Jamf has been fairly solid overall, and frankly their patch policy has been on the better end of companies I use. I think this is one of those "I'm frustrated at the situation" kind of things. Especially given the impact and timing, not just in the day/week, but just right before the holidays, with some folks having smaller crews, etc. My thoughts are they had an active attack or proof of one that happened since the last patch (if I remember correctly there were 2 in a short window) but either way. Sorry for the post venting, and hope you have a happy holiday season!

All valid points for venting 🙂 Merry Christmas Friend and a Happy New Year!

d3xbot
New Contributor II

Dang near had a heart attack when one of my techs messaged me "Hey is our Jamf portal down?"

 

Glad we're getting Log4J mitigation, but it would've been nice to get some advanced warning on this so I could alert my team 🙂

geoffreykobrien
Contributor

4pm on a Friday, thanks JAMF.....

CommandShiftK
New Contributor III

.

donmontalvo
Esteemed Contributor III

When it comes to mitigating vulnerabilities, one thing is for sure, Jamf is bad @$$!

--
https://donmontalvo.com

apizz
Valued Contributor

Yeah this upgrade is pretty bad timing for us as well ... Pressure changes everything and it appears we customers get the short end of the stick 😕

James_SM
New Contributor

Ouch. I get why JAMF would want to get this patched ASAP. But just a bit of communication would have been nice so we can prepare on what we can and can't do during the update.

donmontalvo
Esteemed Contributor III

Some links that might find a home in your browser bookmarks, or maybe a Jamf FAQ:

server-tools.jar
https://archive.services.jamfcloud.com/#jamf-pro-server-tools/release/latest/gui/

Jamf Pro Server Tools
https://account.jamf.com/products/other/jamf-pro-server-tools

Jamf Pro
https://account.jamf.com/products/jamf-pro

--
https://donmontalvo.com

nebjamf
New Contributor II

No communication regarding a mid afternoon maintenance window on a weekday?  Ouch.

Email communication was sent prior to start 

KevyKev_7
New Contributor II

sorry but 20 min before taking it down when a previous email stated nothing needed to be done is just crazy and would be viewed as completely not okay in any corp environment. 

an emergency change control for an active exploited attack like this is acceptable to me as a customer especially considering the repercussions if said attack would have been successful.

armentrout
New Contributor II

I was in the middle of wiping several machines campus wide, I got get some water and come back to the admin portal being down.  Helluva way to not get ahead.  Oh well, hopefully it's back up soon.

 

KevyKev_7
New Contributor II

appreciate the patch, but would really loved more email communication on when this was happening...

kjennings
New Contributor II

Really disappointed about the timing and lack of warning here. Doing enrollments and I was already cutting it close on an EOD deadline that I now won't be able to meet. Business will be negatively impacted.

bgrant11
New Contributor III

I am getting blown up by co-workers and will now have to have meeting about this. If the patch took 15 mins fine, but this? It's been over 2 hours in the middle of the work day! 

user-XYWYxGZktS
New Contributor

Is there an estimated return to service? It’s been down for hours. 

mbezzo
Contributor III

Looks like they were planning for a long one per the (separate!!!???) maintenance email:

JamfMaint.png

kjennings
New Contributor II

Eighteen hours??? 😱 Oh no...