SpringShell: Spring Core RCE 0-day Vulnerability
Details of this vulnerability, along with a CVE, have now been published. We are actively investigating any impact resulting from this vulnerability across all of our products, and we will update this thread with information as we learn more.
Here are some FAQs on this vulnerability.
We will update this post with additional information as soon as we have it.
Thanks Aaron found a lot of springframeworks in the Jamf Pro (Cloud) instance server logs (example below) how quickly will this be patched out?
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:963) ~[spring-webmvc-5.3.11.jar:5.3.11]
I'd like to second what @Discher asked - how may we patch Tomcat ourselves?
I've asked this before, and Jamf has been mute - but they constantly put out new patches for Jamf Pro with outdated Tomcat versions (10.37.0 came with an old version). We need a method of updating Tomcat to the latest Tomcat 8 version without waiting on Jamf
It can be mitigated by upgrading Tomcat:
If you’re able to upgrade to Spring Framework 5.3.18 and 5.2.20, no workarounds are necessary. Downgrading to Java 8 provides a viable workaround, which may be a quick and simple thing to do as a tactical solution, until you can upgrade to a supported Spring Framework version.
For older, unsupported Spring Framework versions, upgrading to Apache Tomcat 10.0.20, 9.0.62, or 8.5.78 provides protection against the reported attack vector. However, applying the workarounds described next is still a good step to prevent any other possible attack vectors."
Also, we use the tarbal from Jamf to upgrade Jamf (with a .run) . We shouldn't have to do this manually each time in order to replace Tomcat
Also, of note - there is documentation for manually upgrading Jamf Pro on Windows, but not for Linux - the only option provided is upgrading with the installer.
Thank you @bentoms . Unfortunately, this is going to take some more detailed work.
I tried to manually upgrade, but it reported that web.xml was corrupted. I replaced the new web.xml from the upgraded Tomcat with the original, so I am assuming that there was some change that I am not aware of. But I'm going to try to troubleshoot stuff when I have time.
Thanks again - hopefully, Jamf will provide updated documentation for manual upgrades on Linux.
We are still running 10.35. There's no published evidence from you that Jamf Pro is affected by this vulnerability, but for peace of mind, it would be good if you tell us if there's a way to manually patch the Spring framework (as there was with the log4j libraries).
Versions prior to 10.36 do contain the vulnerable Spring component. We do not recommend manual upgrades as it is more complex than a direct update of the impacted component, and may cause instability or future update issues. While we did not see a clean path to direct exploitation within Jamf products in the short time since this vulnerability was identified, we recommend everyone update to 10.36.4 or 10.37.2