- Jamf Nation Community
- Products
- Jamf Pro
- Re: Jamf Pro 10.34.2 Now Available
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Jamf Pro 10.34.2 Now Available
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-17-2021 12:25 PM - edited 12-20-2021 06:24 AM
Hello Jamf Nation,
Today we're releasing an update for Jamf Pro that addresses critical security issues CVE-2021-44228 and CVE-2021-45046. For details on how we’re addressing these vulnerabilities across the Jamf platform, please see this Jamf Nation post. Because keeping our customers’ environments secure is of the utmost importance, we’ll continue to be very intentional about when and how we communicate.
We strongly recommend that you upgrade to Jamf Pro 10.34.2 as soon as possible. Customers utilizing our cloud-based products have had the vulnerability mitigated through layered security controls. We are confident that these mitigations are effective against all known attacks. Out an abundance of caution, we are releasing Jamf Pro 10.34.2 to include log4j 2.16 and mitigate all currently known log4j vulnerabilities.
Please read the resolved issues section of the release notes for more information. Additional details on the resolved vulnerability will be made available on a future date to allow for Jamf Pro instances to be updated before full disclosure.
We will also be sending this information via email to primary technical contacts at affected organizations.
Thank you!
Reply
49 REPLIES 49
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-17-2021 03:51 PM
I find it a little hard to believe on 12/10 we got this email with regards to Jamf and the identified vulnerability and stated that Jamf Pro Cloud and Jamf Cloud Premium were mitigated through appropriate security controls. No further actions are necessary! Here we are locked out of Cloud solution to mitigate something that was already stated being done on 12/10/2021. Major disruption to my Health System.
On December 9, 2021, a Remote Code Execution (RCE) vulnerability (CVE-2021-44228) was identified in the log4j library (https://www.lunasec.io/docs/blog/log4j-zero-day/) and multiple threat actors have been found to be scanning for vulnerable systems. We are actively working to assess the impact and mitigate the vulnerability across our platform (tracked as PI-010403).
Due to the nature of the issue, this is considered a critical vulnerability.
What Jamf products are impacted by the vulnerability?
Jamf Pro (hosted on-premises): Affected
Jamf Pro 10.14 and later include Java 11 which partially mitigated the issue. We are actively working on a complete mitigation in a new Jamf Pro release. Until this version is available, a manual workaround to update the log4j library directly is documented below.
Jamf Pro (Jamf Cloud and Jamf Cloud Premium): Mitigated
Customers utilizing our cloud-based products have had the vulnerability mitigated through appropriate security controls. No further actions are necessary.
Jamf Connect: Not affected
Jamf Connect does not use the affected libraries.
Jamf Now: Not affected
Jamf Now does not use the affected libraries.
Jamf Protect: Not affected
Jamf Protect does not use the affected libraries.
Jamf School: Not affected
Jamf School does not use the affected libraries.
Jamf Threat Defense: Not affected
Jamf Threat Defense does not use the affected libraries.
Jamf Data Policy: Not affected
Jamf Data Policy does not use the affected libraries.
Jamf Private Access: Not affected
Jamf Private Access does not use the affected libraries.
Health Care Listener: Not vulnerable
While Health Care Listener does utilize the library that includes the vulnerability, it cannot be exploited by an attacker.
Jamf Infrastructure Manager: Not vulnerable
While Health Care Listener does utilize the library that includes the vulnerability, it cannot be exploited by an attacker.
Next Steps
We will be releasing updates for affected products as quickly as feasible. However, you can choose to work around the issue by manually updating the log4j instances of the affected systems as described in our technical document.... If you choose to implement the manual workaround as described, future version updates will not be affected. For assistance with this workaround, please reach out to support@jamf.com.
We are actively continuing to assess the impact and mitigate the vulnerability across our platform. Please note that some customers may experience brief Jamf Cloud interruptions over the weekend as a result of security updates and refinements. If you have any questions, please reach out to Customer Success.
Due to the urgency, this communication is available in English only.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-17-2021 04:11 PM
18 hours? You can't be serious....
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-17-2021 04:14 PM
This is not acceptable.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-17-2021 04:26 PM
I agree with the others. Being down for hours in the middle of the week is no bueno.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-17-2021 05:39 PM
We understand and do not take lightly the impact of performing this maintenance without more notice. The information in the original post has been updated with estimated timing of the completion of this maintenance. Please monitor status.jamf.com for updates. We will share more information as we’re able.
Thank you for your patience as we continue to work to ensure the security of your Jamf environment.
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-18-2021 09:24 AM - edited 12-19-2021 05:57 PM
Welp…
@kaylee_carlson Looks NIST released CVE-2021-45105 with 8.1 (of 10) rating requiring log4j to be patched to 2.17.
https://nvd.nist.gov/vuln/detail/CVE-2021-45105
--
https://donmontalvo.com
https://donmontalvo.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-18-2021 12:09 PM
FWIW
https://github.com/mergebase/log4j-detector
--
https://donmontalvo.com
https://donmontalvo.com
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-20-2021 09:40 AM
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-20-2021 09:45 AM - edited 12-20-2021 09:45 AM
https://community.jamf.com/t5/jamf-pro/third-party-security-issue/td-p/253740
UPDATE 12/18
We are aware of CVE-2021-45105 that was remediated in log4j 2.17.0. At this time, this new vulnerability does not seem to affect any Jamf products or services. The conditions required for the exploitation of the vulnerability are not met by Jamf's use of the log4j library. No further action is required at this time.
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-21-2021 02:56 PM
How is JAMF addressing the vulnerability issues introduced in Log4j 2.16 CVE-2021-45105 that is fixed by Log4j version 2.17? Has it been determined that JAMF Pro version 10.34.2 is vulnerable or not impacted?
