03-31-2022 10:55 AM - edited 04-02-2022 11:54 AM
SpringShell: Spring Core RCE 0-day Vulnerability
Details of this vulnerability, along with a CVE, have now been published. We are actively investigating any impact resulting from this vulnerability across all of our products, and we will update this thread with information as we learn more.
Here are some FAQs on this vulnerability.
We will update this post with additional information as soon as we have it.
Posted on 03-31-2022 11:56 PM
Thanks Aaron found a lot of springframeworks in the Jamf Pro (Cloud) instance server logs (example below) how quickly will this be patched out?
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:963) ~[spring-webmvc-5.3.11.jar:5.3.11]
Posted on 04-01-2022 12:09 AM
Do we know if any other Jamf Product are affected by CVE-2022-22965?
Posted on 04-01-2022 08:12 AM
Are previous (ex: <10.37.0) versions not affected, and that is the reason the update is being held off? Or is it because the fix will be available very soon and JAMF is avoiding having to update all their cloud servers twice within a very short period?
Posted on 04-01-2022 09:12 AM
Can we update to Tomcat 8.5.78 to close the attack vector?
Posted on 04-01-2022 10:31 AM
Posted on 04-01-2022 11:06 AM
I'd like to second what @Discher asked - how may we patch Tomcat ourselves?
I've asked this before, and Jamf has been mute - but they constantly put out new patches for Jamf Pro with outdated Tomcat versions (10.37.0 came with an old version). We need a method of updating Tomcat to the latest Tomcat 8 version without waiting on Jamf
Posted on 04-01-2022 11:28 AM
@ncats_lab if you use the manual installer.. you then manage tomcat etc yourself.
..and, AFAIK.. this vuln isn't Tomcat.. but a framework used within Jamf Pro's .war
Posted on 04-01-2022 11:47 AM
It can be mitigated by upgrading Tomcat:
If you’re able to upgrade to Spring Framework 5.3.18 and 5.2.20, no workarounds are necessary. Downgrading to Java 8 provides a viable workaround, which may be a quick and simple thing to do as a tactical solution, until you can upgrade to a supported Spring Framework version.
For older, unsupported Spring Framework versions, upgrading to Apache Tomcat 10.0.20, 9.0.62, or 8.5.78 provides protection against the reported attack vector. However, applying the workarounds described next is still a good step to prevent any other possible attack vectors."
Also, we use the tarbal from Jamf to upgrade Jamf (with a .run) . We shouldn't have to do this manually each time in order to replace Tomcat
Posted on 04-01-2022 11:51 AM
Also, of note - there is documentation for manually upgrading Jamf Pro on Windows, but not for Linux - the only option provided is upgrading with the installer.
Posted on 04-01-2022 11:56 AM
@ncats_lab we use the manual installer for our ubuntu kubernetes jamf pro pods.
Basically.. install java.. tomcat.. drop the .war into the web apps directory of tomcat... start tomcat..
In this scenario, mysql is elsewhere.
Posted on 04-04-2022 09:05 AM
Thank you @bentoms . Unfortunately, this is going to take some more detailed work.
I tried to manually upgrade, but it reported that web.xml was corrupted. I replaced the new web.xml from the upgraded Tomcat with the original, so I am assuming that there was some change that I am not aware of. But I'm going to try to troubleshoot stuff when I have time.
Thanks again - hopefully, Jamf will provide updated documentation for manual upgrades on Linux.
04-02-2022 11:15 AM - edited 04-02-2022 11:54 AM
Posted on 04-02-2022 11:39 AM
We are still running 10.35. There's no published evidence from you that Jamf Pro is affected by this vulnerability, but for peace of mind, it would be good if you tell us if there's a way to manually patch the Spring framework (as there was with the log4j libraries).
Posted on 04-02-2022 03:20 PM
Due to the mysql dependencies we are still with 10.34.2, so is there anything we can do to mitigate the vulnerability, or do we have to try an emergency update of the mysql version?
Posted on 04-04-2022 01:43 AM
As @TeamOC asked (but I was not able to find the answer, if there is any already, sorry ;)):
Are versions <10.36.x also affected? I was not able to find a hint for that.
Posted on 04-04-2022 09:40 AM
Versions prior to 10.36 do contain the vulnerable Spring component. We do not recommend manual upgrades as it is more complex than a direct update of the impacted component, and may cause instability or future update issues. While we did not see a clean path to direct exploitation within Jamf products in the short time since this vulnerability was identified, we recommend everyone update to 10.36.4 or 10.37.2