Jamf Pro 10.34.2 Now Available

kaylee_carlson
Contributor
Contributor
Hello Jamf Nation,
 
Today we're releasing an update for Jamf Pro that addresses critical security issues CVE-2021-44228 and CVE-2021-45046. For details on how we’re addressing these vulnerabilities across the Jamf platform, please see this Jamf Nation post. Because keeping our customers’ environments secure is of the utmost importance, we’ll continue to be very intentional about when and how we communicate. 
 
We strongly recommend that you upgrade to Jamf Pro 10.34.2 as soon as possible. Customers utilizing our cloud-based products have had the vulnerability mitigated through layered security controls. We are confident that these mitigations are effective against all known attacks. Out an abundance of caution, we are releasing Jamf Pro 10.34.2 to include log4j 2.16 and mitigate all currently known log4j vulnerabilities.
 
Please read the resolved issues section of the release notes for more information. Additional details on the resolved vulnerability will be made available on a future date to allow for Jamf Pro instances to be updated before full disclosure.
 
 
We will also be sending this information via email to primary technical contacts at affected organizations.
 
Thank you!
49 REPLIES 49

Resnickc
New Contributor

I find it a little hard to believe on 12/10 we got this email with regards to Jamf and the identified vulnerability and stated that Jamf Pro Cloud and Jamf Cloud Premium were mitigated through appropriate security controls. No further actions are necessary! Here we are locked out of Cloud solution to mitigate something that was already stated being done on 12/10/2021. Major disruption to my Health System.  

 

On December 9, 2021, a Remote Code Execution (RCE) vulnerability (CVE-2021-44228) was identified in the log4j library (https://www.lunasec.io/docs/blog/log4j-zero-day/) and multiple threat actors have been found to be scanning for vulnerable systems. We are actively working to assess the impact and mitigate the vulnerability across our platform (tracked as PI-010403).

 

Due to the nature of the issue, this is considered a critical vulnerability.

 

What Jamf products are impacted by the vulnerability?

 

Jamf Pro (hosted on-premises): Affected

Jamf Pro 10.14 and later include Java 11 which partially mitigated the issue. We are actively working on a complete mitigation in a new Jamf Pro release. Until this version is available, a manual workaround to update the log4j library directly is documented below.

 

Jamf Pro (Jamf Cloud and Jamf Cloud Premium): Mitigated

Customers utilizing our cloud-based products have had the vulnerability mitigated through appropriate security controls. No further actions are necessary.

 

Jamf Connect: Not affected

Jamf Connect does not use the affected libraries.

 

Jamf Now: Not affected

Jamf Now does not use the affected libraries.

 

Jamf Protect: Not affected

Jamf Protect does not use the affected libraries.

 

Jamf School: Not affected

Jamf School does not use the affected libraries.

 

Jamf Threat Defense: Not affected

Jamf Threat Defense does not use the affected libraries.

 

Jamf Data Policy: Not affected

Jamf Data Policy does not use the affected libraries.

 

Jamf Private Access: Not affected

Jamf Private Access does not use the affected libraries.

 

Health Care Listener: Not vulnerable

While Health Care Listener does utilize the library that includes the vulnerability, it cannot be exploited by an attacker.

 

Jamf Infrastructure Manager: Not vulnerable

While Health Care Listener does utilize the library that includes the vulnerability, it cannot be exploited by an attacker.

 

Next Steps

We will be releasing updates for affected products as quickly as feasible. However, you can choose to work around the issue by manually updating the log4j instances of the affected systems as described in our technical document.... If you choose to implement the manual workaround as described, future version updates will not be affected. For assistance with this workaround, please reach out to support@jamf.com.

 

We are actively continuing to assess the impact and mitigate the vulnerability across our platform. Please note that some customers may experience brief Jamf Cloud interruptions over the weekend as a result of security updates and refinements. If you have any questions, please reach out to Customer Success.  

 

Due to the urgency, this communication is available in English only.

nebjamf
New Contributor II

18 hours?  You can't be serious....

This is not acceptable.

HotTubChris
New Contributor

I agree with the others. Being down for hours in the middle of the week is no bueno.

jacob_bernardy
Community Manager
Community Manager

We understand and do not take lightly the impact of performing this maintenance without more notice. The information in the original post has been updated with estimated timing of the completion of this maintenance. Please monitor status.jamf.com for updates. We will share more information as we’re able.

Thank you for your patience as we continue to work to ensure the security of your Jamf environment.

donmontalvo
Esteemed Contributor III

Welp…

@kaylee_carlson Looks NIST released CVE-2021-45105 with 8.1 (of 10) rating requiring log4j to be patched to 2.17.

https://nvd.nist.gov/vuln/detail/CVE-2021-45105

--
https://donmontalvo.com

donmontalvo
Esteemed Contributor III

FWIW

https://github.com/mergebase/log4j-detector

--
https://donmontalvo.com

dan-snelson
Valued Contributor II

https://community.jamf.com/t5/jamf-pro/third-party-security-issue/td-p/253740

UPDATE 12/18
We are aware of CVE-2021-45105 that was remediated in log4j 2.17.0. At this time, this new vulnerability does not seem to affect any Jamf products or services. The conditions required for the exploitation of the vulnerability are not met by Jamf's use of the log4j library. No further action is required at this time.

 

john_skinner
New Contributor

How is JAMF addressing the vulnerability issues introduced in Log4j 2.16 CVE-2021-45105 that is fixed by Log4j version 2.17? Has it been determined that JAMF Pro version 10.34.2 is vulnerable or not impacted?