Spring4Shell Vulnerability

Hi,

Thanks Aaron  found a lot of springframeworks in the Jamf Pro (Cloud) instance server logs (example below) how quickly will this be patched out?

webmvc-5.3.11.jar:5.3.11]
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:963) ~[spring-webmvc-5.3.11.jar:5.3.11]

Do we know if any other Jamf Product are affected by CVE-2022-22965?

Are previous (ex: <10.37.0) versions not affected, and that is the reason the update is being held off? Or is it because the fix will be available very soon and JAMF is avoiding having to update all their cloud servers twice within a very short period?

Can we update to Tomcat 8.5.78 to close the attack vector?

I'd like to second what @Discher asked - how may we patch Tomcat ourselves?

I've asked this before, and Jamf has been mute - but they constantly put out new patches for Jamf Pro with outdated Tomcat versions (10.37.0 came with an old version). We need a method of updating Tomcat to the latest Tomcat 8 version without waiting on Jamf

@ncats_lab if you use the manual installer.. you then manage tomcat etc yourself.

..and, AFAIK.. this vuln isn't Tomcat.. but a framework used within Jamf Pro's .war

It can be mitigated by upgrading Tomcat:

https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

"

Suggested Workarounds

If you’re able to upgrade to Spring Framework 5.3.18 and 5.2.20, no workarounds are necessary. Downgrading to Java 8 provides a viable workaround, which may be a quick and simple thing to do as a tactical solution, until you can upgrade to a supported Spring Framework version.

For older, unsupported Spring Framework versions, upgrading to Apache Tomcat 10.0.20, 9.0.62, or 8.5.78 provides protection against the reported attack vector. However, applying the workarounds described next is still a good step to prevent any other possible attack vectors."

Also, we use the tarbal from Jamf to upgrade Jamf (with a .run) . We shouldn't have to do this manually each time in order to replace Tomcat

Also, of note - there is documentation for manually upgrading Jamf Pro on Windows, but not for Linux - the only option provided is upgrading with the installer. 

https://docs.jamf.com/10.37.0/jamf-pro/install-guide-linux/Upgrading_Jamf_Pro_Using_the_Installer_on_Linux.html

@ncats_lab we use the manual installer for our ubuntu kubernetes jamf pro pods.

Basically.. install java.. tomcat.. drop the .war into the web apps directory of tomcat... start tomcat..

In this scenario, mysql is elsewhere.

We are still running 10.35. There's no published evidence from you that Jamf Pro is affected by this vulnerability, but for peace of mind, it would be good if you tell us if there's a way to manually patch the Spring framework (as there was with the log4j libraries).

Due to the mysql dependencies we are still with 10.34.2, so is there anything we can do to mitigate the vulnerability, or do we have to try an emergency update of the mysql version?

As @TeamOC asked (but I was not able to find the answer, if there is any already, sorry ;)):

Are versions <10.36.x also affected? I was not able to find a hint for that.

Thank you

BR
Daniel

Thank you @bentoms . Unfortunately, this is going to take some more detailed work. 

I tried to manually upgrade, but it reported that web.xml was corrupted. I replaced the new web.xml from the upgraded Tomcat with the original, so I am assuming that there was some change that I am not aware of. But I'm going to try to troubleshoot stuff when I have time. 

Thanks again - hopefully, Jamf will provide updated documentation for manual upgrades on Linux.

Versions prior to 10.36 do contain the vulnerable Spring component. We do not recommend manual upgrades as it is more complex than a direct update of the impacted component, and may cause instability or future update issues. While we did not see a clean path to direct exploitation within Jamf products in the short time since this vulnerability was identified, we recommend everyone update to 10.36.4 or 10.37.2