log4j - jamf pro server still on 10.34

mickl089
Contributor III

hello,
when we get the 10.34.1 patch? our managed jamf pro server is still on 10.34 😞

thanks!

1 ACCEPTED SOLUTION

mm2270
Legendary Contributor III

So, if you read Jamf's official statement on their cloud instances and this vulnerability, they specifically mention the issue has been addressed through other controls. Apparently Jamf cloud servers do not allow the type of traffic that would be required to use this exploit, even if a vulnerable version of log4j2 is still installed on them. So 10.34.1 may only be necessary for on prem servers.

I would imagine eventually, like maybe in the next full release, Jamf will roll in an updated version of log4j 2, maybe 2.16, so it's fully patched.

View solution in original post

4 REPLIES 4

spotmac
New Contributor III

I suspect Jamf Pro is still vulnerable. Version 2.15.0 was used in the 10.31.1 update. 

spotmac
New Contributor III

mm2270
Legendary Contributor III

So, if you read Jamf's official statement on their cloud instances and this vulnerability, they specifically mention the issue has been addressed through other controls. Apparently Jamf cloud servers do not allow the type of traffic that would be required to use this exploit, even if a vulnerable version of log4j2 is still installed on them. So 10.34.1 may only be necessary for on prem servers.

I would imagine eventually, like maybe in the next full release, Jamf will roll in an updated version of log4j 2, maybe 2.16, so it's fully patched.

ImAMacGuy
Valued Contributor II

I did reach out to jamf support re: this same question.  would be nice to have the warm fuzzy feeling of the version bump on the cloud.  I'm sure we could request the update given the situation.