RCE 0-day exploit found in log4j

Elies
New Contributor II

hello together!
A zero day exploit has been found which affects the latest version of jamf.
https://www.lunasec.io/docs/blog/log4j-zero-day/

This exploit affects the java logger log4j, which is used by Jamf. If you are hosting an onpremise version, take a look at the JSSAccess.log to check for anomalies.

42 REPLIES 42

WsIT
New Contributor II

Thanks for sharing it @Elies, any idea how can I upgrade log4j to the latest version? 

Elies
New Contributor II

Start your server with log4j2.formatMsgNoLookups set to true, or update to log4j-2.15.0-rc1 or later.

Elies
New Contributor II

Here is the cve for completeness:
CVE-2021-44228

Cyberghost
New Contributor III

Thanks for sharing.
Does it help to restrict the access to computer only and to disable the login on the JSS page? 

Elies
New Contributor II

No. Currently only workaround is to start your server with log4j2.formatMsgNoLookups set to true, or update to log4j-2.15.0-rc1 or later. If you want to be updated you can check this blog post for possible mitigations:
https://www.lunasec.io/docs/blog/log4j-zero-day/

Elies
New Contributor II

Specific for Jamf Pro:
Edit this file: 

webapps/ROOT/WEB-INF/classes/log4j2.component.properties


and add 

log4j2.formatMsgNoLookups: true

restart your jamf instance.

Thank you Elies. Every place I was looking was just saying set formatMsgNoLookup to true. Not very helpful if you do not knot the filename or proper format. This saved a lot of time.

michaelprice
New Contributor III

Not seeing the log4j2.component.properties file on either of our nodes.  We only have log4j2-default.xml and log4j2.xml.  Performed a find for *.properties files in ROOT and didn't find it.

fridomac
New Contributor III

So you can either set that in log4j2.component.properties, or in the Tomcat Java Arguments, right?

coreyammons
New Contributor II

I added the following as a second line. Does anyone know how to update to the recent version? 

log4j2.formatMsgNoLookups: true

 

jmbwell
New Contributor II

Any indication whether this affects Jamf Infrastructure Manager?

ooohhhh.....I wanna know this as well....!  I have JIM's in my environment.  

Sure looks like it from what I can see.

mvanstone
New Contributor

I applied the mitigation and I have been checking the JSSAccess.log I don't see anything out of the ordinary.

 

All seems ok? What would I be looking for? Running a few scans on the server just to make sure all is ok.

 

I went through this with Exchange in March and didn't like it at all! 😞

seabash
Contributor

Our friend @bentoms shared this link in MacAdmins #security in which Jamf CISO posted about Third-Party Security Issue. I cross-posted in comments, in case official Jamf response differs at all from this.

Thanks, @Elies !

Keith__Myers
New Contributor III

I added the extra line to log4j2.component.properties on an on-prem Jamf Pro 10.32 server and then restarted Tomcat.  It took a long time to begin responding to http requests, but it did eventually come back up.  Is there a way to test that this successfully mitigated the CVE?

--- Keith Myers

aamjohns
Contributor II

If you are running Windows server and IIS you can also check your IIS logs for lines that contain 'jndi'.  They will be located in a directory similar to this: C:\inetpub\logs\LogFiles\W3SVC1\

Also, the default path to the JSSAccess.log on Windows Server is C:\program files\jss\logs\JSSAccess.log

I’m looking through the JSSAccess.log I really don’t see anything out of the ordinary what am I looking for?

@mvanstone Hi.  In your JSSAccess.log you would want to look for unusual account names, or possibly failures.  Look for anything that seems out of the ordinary.  If you run IIS I highly recommend you search your IIS logs for the string 'jndi'.  The string containing jndi will most likely be the attack string.

benducklow
Contributor III

@Elies is that workaround for all versions of Jamf Pro?

Eric_Wacker
New Contributor

For anyone who comes back to this thread, official word is out:

https://docs.jamf.com/technical-articles/Mitigating_the_Apache_Log4j_2_Vulnerability.html

donmontalvo
Esteemed Contributor III

Jamf just released 10.34.1 to remediate the zero-day vulnerability.

--
https://donmontalvo.com

benducklow
Contributor III

Thanks @donmontalvo. As @Eric_Wacker pointed out with the link, Jamf Support passed the mitigation steps out to use for those whom don't want to take the jump right away..

donmontalvo
Esteemed Contributor III

Yep, same effort for us, we chose the dot update since it was released so quickly. Plus it’s raining here.

--
https://donmontalvo.com

Elies
New Contributor II

I have applied the patch from Jamf and can confirm that JNDI code from the log is no longer triggered.
log4j2.formatMsgNoLookups: true is no longer necessary if you are on 10.34.1.

If you want to test it yourself, generate a domain at http://www.dnslog.cn/ and build a jndi command with the domain and try to log in to your jss with the jndi string. If you are still vulnerable, your dns records should be visible on the page where you generated the domain.
oie_MVlr9rwtIuPU.png
dnslog.png

EHoug
New Contributor II

We have just confirmed our on-premise server is compromised, found a malicious jamf.ps file, not sure if the best course of action is to restore from backup and update server or to simply remove jamf.ps file and update server?

Elies
New Contributor II

Where did you find this file?

EHoug
New Contributor II

It was initially downloaded to the root of c:

Elies
New Contributor II

Depends on the content of the script. Can you read powershell and understand what is being done there?

EHoug
New Contributor II

The jamf.ps script is encoded, our security team are currently trying to access it

I would strongly recommend against using a service based in China to test/reveal whether your system is vulnerable or compromised.  Really bad idea.

donmontalvo
Esteemed Contributor III

log4shell

^^^Just adding so it comes up in a search.

--
https://donmontalvo.com

jmahlman
Valued Contributor

What would be the best course of action on investigating if your server has been compromised?

EHoug
New Contributor II

Not sure about your environment but our security team detected the use of encoded powershell on our jss from a specified IP that downloaded a jamf.ps file to our JSS server, root of c:. We blocked the IP, isolated JSS, triaging now. 

When did you patch your server?

EHoug
New Contributor II

Server is isolated at present, looking to patch today hopefully

TSOAFTVPPC
Contributor

I don't find any of the files referenced in this mitigation article.:
https://docs.jamf.com/technical-articles/Mitigating_the_Apache_Log4j_2_Vulnerability.html
Are they someplace else?

EHoug
New Contributor II

I found this a good resource for information https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance

jrippy
Contributor III

Apparently 2.15.0 was only a partial mitigation.  log4j 2.16.0 has been released that disables JNDI completely.  CVE