Jamf Nation Community

mickl089 · ‎12-15-2021

hello,
when we get the 10.34.1 patch? our managed jamf pro server is still on 10.34 😞

thanks!

mm2270 · ‎12-15-2021

So, if you read Jamf's official statement on their cloud instances and this vulnerability, they specifically mention the issue has been addressed through other controls. Apparently Jamf cloud servers do not allow the type of traffic that would be required to use this exploit, even if a vulnerable version of log4j2 is still installed on them. So 10.34.1 may only be necessary for on prem servers.

I would imagine eventually, like maybe in the next full release, Jamf will roll in an updated version of log4j 2, maybe 2.16, so it's fully patched.

View solution in original post

spotmac · ‎12-15-2021

I suspect Jamf Pro is still vulnerable. Version 2.15.0 was used in the 10.31.1 update.

spotmac · ‎12-15-2021

https://thehackernews.com/2021/12/second-log4j-vulnerability-cve-2021.html

mm2270 · ‎12-15-2021

So, if you read Jamf's official statement on their cloud instances and this vulnerability, they specifically mention the issue has been addressed through other controls. Apparently Jamf cloud servers do not allow the type of traffic that would be required to use this exploit, even if a vulnerable version of log4j2 is still installed on them. So 10.34.1 may only be necessary for on prem servers.

I would imagine eventually, like maybe in the next full release, Jamf will roll in an updated version of log4j 2, maybe 2.16, so it's fully patched.

ImAMacGuy · ‎12-15-2021

I did reach out to jamf support re: this same question. would be nice to have the warm fuzzy feeling of the version bump on the cloud. I'm sure we could request the update given the situation.

Jamf Nation Community

log4j - jamf pro server still on 10.34