12-17-2021 12:25 PM - edited 12-20-2021 06:24 AM
Posted on 12-17-2021 03:51 PM
I find it a little hard to believe on 12/10 we got this email with regards to Jamf and the identified vulnerability and stated that Jamf Pro Cloud and Jamf Cloud Premium were mitigated through appropriate security controls. No further actions are necessary! Here we are locked out of Cloud solution to mitigate something that was already stated being done on 12/10/2021. Major disruption to my Health System.
On December 9, 2021, a Remote Code Execution (RCE) vulnerability (CVE-2021-44228) was identified in the log4j library (https://www.lunasec.io/docs/blog/log4j-zero-day/) and multiple threat actors have been found to be scanning for vulnerable systems. We are actively working to assess the impact and mitigate the vulnerability across our platform (tracked as PI-010403).
Due to the nature of the issue, this is considered a critical vulnerability.
What Jamf products are impacted by the vulnerability?
Jamf Pro (hosted on-premises): Affected
Jamf Pro 10.14 and later include Java 11 which partially mitigated the issue. We are actively working on a complete mitigation in a new Jamf Pro release. Until this version is available, a manual workaround to update the log4j library directly is documented below.
Jamf Pro (Jamf Cloud and Jamf Cloud Premium): Mitigated
Customers utilizing our cloud-based products have had the vulnerability mitigated through appropriate security controls. No further actions are necessary.
Jamf Connect: Not affected
Jamf Connect does not use the affected libraries.
Jamf Now: Not affected
Jamf Now does not use the affected libraries.
Jamf Protect: Not affected
Jamf Protect does not use the affected libraries.
Jamf School: Not affected
Jamf School does not use the affected libraries.
Jamf Threat Defense: Not affected
Jamf Threat Defense does not use the affected libraries.
Jamf Data Policy: Not affected
Jamf Data Policy does not use the affected libraries.
Jamf Private Access: Not affected
Jamf Private Access does not use the affected libraries.
Health Care Listener: Not vulnerable
While Health Care Listener does utilize the library that includes the vulnerability, it cannot be exploited by an attacker.
Jamf Infrastructure Manager: Not vulnerable
While Health Care Listener does utilize the library that includes the vulnerability, it cannot be exploited by an attacker.
Next Steps
We will be releasing updates for affected products as quickly as feasible. However, you can choose to work around the issue by manually updating the log4j instances of the affected systems as described in our technical document.... If you choose to implement the manual workaround as described, future version updates will not be affected. For assistance with this workaround, please reach out to support@jamf.com.
We are actively continuing to assess the impact and mitigate the vulnerability across our platform. Please note that some customers may experience brief Jamf Cloud interruptions over the weekend as a result of security updates and refinements. If you have any questions, please reach out to Customer Success.
Due to the urgency, this communication is available in English only.
Posted on 12-17-2021 04:11 PM
18 hours? You can't be serious....
Posted on 12-17-2021 04:14 PM
This is not acceptable.
Posted on 12-17-2021 04:26 PM
I agree with the others. Being down for hours in the middle of the week is no bueno.
Posted on 12-17-2021 05:39 PM
We understand and do not take lightly the impact of performing this maintenance without more notice. The information in the original post has been updated with estimated timing of the completion of this maintenance. Please monitor status.jamf.com for updates. We will share more information as we’re able.
Thank you for your patience as we continue to work to ensure the security of your Jamf environment.
12-18-2021 09:24 AM - edited 12-19-2021 05:57 PM
Welp…
@kaylee_carlson Looks NIST released CVE-2021-45105 with 8.1 (of 10) rating requiring log4j to be patched to 2.17.
https://nvd.nist.gov/vuln/detail/CVE-2021-45105
Posted on 12-18-2021 12:09 PM
FWIW
https://github.com/mergebase/log4j-detector
Posted on 12-20-2021 09:40 AM
12-20-2021 09:45 AM - edited 12-20-2021 09:45 AM
https://community.jamf.com/t5/jamf-pro/third-party-security-issue/td-p/253740
UPDATE 12/18
We are aware of CVE-2021-45105 that was remediated in log4j 2.17.0. At this time, this new vulnerability does not seem to affect any Jamf products or services. The conditions required for the exploitation of the vulnerability are not met by Jamf's use of the log4j library. No further action is required at this time.
Posted on 12-21-2021 02:56 PM
How is JAMF addressing the vulnerability issues introduced in Log4j 2.16 CVE-2021-45105 that is fixed by Log4j version 2.17? Has it been determined that JAMF Pro version 10.34.2 is vulnerable or not impacted?