tough time to take out the cloud when people are also trying to remediate log4j with Jamf. Hope this includes a way for Jamf to detect 3rd party log4j issues.
they added this to Jamf Protect this week - "SuspiciousJavaActivity
This analytic will show when the curl command or an interactive bash shell is executed under Java. To date these are the most common actions being taken by successful log4j exploits. These actions might also be performed by legitimate Java applications in your environment. It is up to the analyst to determine if the detected application should be performing these actions."
But did the figure this out 2 seconds before they did the update so there was no choice but to kick everyone working in Jamf out?? No time to schedule it? No notifications???
We understand the need to do it. The method has destroyed a lot of confidence in Jamf that it was done with very little notice.
I don't know what you're complaining about. They sent out a mail during my lunch break, 20 mins before they kicked it off, outlining an undefined start time of "soon", and with no expected completion time. lol.
Was there communication or notice for the cloud maintenance? The previous release note said that the cloud instance was mitigated already. Why are we doing this during the day now and not when 10.34.2 was first released? This action has disturbed my works on remediating Log4J with my security dept and my companies Mac and iOS provisioning.
Thats a terrible reply and look at the situation. Giving a heads up 20 minutes before taking the instance out is not acceptable by any means unless they actively noticed an attack ongoing. Most of us were hit in the middle of the day with no warning, I don't check my email every minute, as my workflow does not allow for this. Taking down an instance with close to no warning is unacceptable in every sense of the word. While you are technically correct, the issue is not whether or not an email or communication went out. But the shoddy and terrible timing and effects it had for those of us caught with little to no warning. Don't be so glib with your response, just because you may not have been effected, doesn't mean the rest of us weren't.
Never claimed I wasn't affected and never claimed anyone else was. I merely stated communication was sent out. Also, you bring up a good point, that to my knowledge has not been determined or at least publicly communicated: that is that none of us know whether an attack was active or not. Don't be so quick to rush to conclusions is merely all i was trying to infer with my factual response.
I agree with your last part, and understand where you are coming from as your answer was technically correct, but as you can see from the myriad of responses here, the timing and execution was terrible. Even taking that into account, the communication was also incredibly poor. The response you are posting on this thread (in a few locations) just comes off as a little tone deaf considering the impact it had on a lot of us. I meant no attack or disrespect by any means, so I apologize if it comes off that way, but there were a lot of issues introduced to our environment due to computers being knocked offline (server connections) during usage that we are still trying to get resolved
I certainly understand, we were in the middle of testing some detection scripts for log4j and poof, gone. I thought it would be around an hour tops, but nope, quite an extended outage. I understand the pain, but also want to cut JAMF some slack in the sense that I've not seen anything else like this in the 5 or so years I've been a customer and due to the severity of the vulnerability/the unknown of whether there was an actual attack in place.
You do bring up a good point, Jamf has been fairly solid overall, and frankly their patch policy has been on the better end of companies I use. I think this is one of those "I'm frustrated at the situation" kind of things. Especially given the impact and timing, not just in the day/week, but just right before the holidays, with some folks having smaller crews, etc. My thoughts are they had an active attack or proof of one that happened since the last patch (if I remember correctly there were 2 in a short window) but either way. Sorry for the post venting, and hope you have a happy holiday season!
Some links that might find a home in your browser bookmarks, or maybe a Jamf FAQ:
Jamf Pro Server Tools
I was in the middle of wiping several machines campus wide, I got get some water and come back to the admin portal being down. Helluva way to not get ahead. Oh well, hopefully it's back up soon.