Log4j Vulnerability

mbayhylle
New Contributor II

So the only Log4j file I can find on my on-prem JAMF Pro servers is log4j-1.2.17.jar. Do I need to do anything to mitigate the vulnerability at this point?

12 REPLIES 12

chris_hansen
Contributor

tainguyen
New Contributor

I'm having the same issue. The instruction's file structure is different in our environment. We only have the 1 log4j-1.2.17.jar vs the 4 that was mentioned in the article. I've tried replacing the 1 file with the 4 2.15.0 but my web portal does not start. I'm getting a 404 Status page.

Same issue here running 10.30.3 FILES INDICATED not found

Article shows the requirements as Jamf Pro 10.31.0–10.34.0 so your environment might not be in the scope.

R_C
New Contributor III

What version of JAMF Pro are you running?

I was able to find all of the log4j files mentioned in JAMF's mitigation documentation which makes me wonder how your environments differ.

tainguyen
New Contributor

We're on 10.26.1

R_C
New Contributor III

Sounds like the issue with mitigating the vulnerability is that you are quite behind on Jamf Pro updates.

10.26.1 was released around Dec 2020. There have been quite a number of updates since then.

I would strongly recommend backing up your database and scheduling an upgrade to 10.34.1.

 

donmontalvo
Esteemed Contributor II

@R_C wrote:

I would strongly recommend backing up your database and scheduling an upgrade to 10.34.1.


Yea, this one is rated 10 of 10 on the security scale.

--
https://donmontalvo.com

donmontalvo
Esteemed Contributor II

log4shell

^^^Just adding so it comes up in a search.

--
https://donmontalvo.com

mm2270
Legendary Contributor II

Jamf needs to update their documentation to include the fact that the instructions are only applicable to Jamf Pro versions 10.31 and up. If you're on an older version, your only recourse is to upgrade to at least 10.31 or to 10.34.1, which takes care of this issue without needing to do anything manually. The instructions don't clearly spell out which versions the mitigation steps apply to.

gwn714
New Contributor

I am also on 10.26 and just need to know if my version is vulnerable. I totally get the whole upgrade thing, but without going through an upgrade, is 10.26 with log4j-1.2.17.jar vulnerable or is it unaffected by this exploit?

mm2270
Legendary Contributor II

@gwn714 So, in my discussion with Jamf Support on this, they will not commit to saying that Jamf Pro versions below 10.31 are unaffected by this particular issue. However, the notes in the CVE and from the developer have indicated that log4j versions 1.x are in fact NOT affected by CVE-2021-44228, because the JNDI mechanism that's being used to exploit this vulnerability doesn't exist in those versions. That does NOT mean log4j 1.x doesn't have any other issues or bugs.

All Jamf can really tell anyone is that they know Jamf Pro 10.34.1 has this issue addressed. Beyond that, they won't really say. And I get it. They don't want to commit to saying it's safe for liability reasons, since they really can't be 100% sure.