Jamf Nation Community

kaylee_carlson · ‎09-07-2021

Update:

This release includes fixes for security vulnerabilities and it is recommended that you upgrade to Jamf Pro 10.32.0 as soon as possible. The following CVEs are addressed by this release:

[PI-006352] CVSS 8.3 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39303
[PI-009921] CVSS 7.5 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40809

Please read the resolved issues section of the release notes for more information and additional details on the resolved vulnerabilities will be made available at a future date to allow for Jamf Pro instances to be patched before full disclosure.

Hi Jamf Nation,

Jamf is prepared to deliver same-day support for Apple’s latest releases as they become available. Compatibility and new feature support are based on testing with the latest Apple beta releases.

We’re also excited to deliver several improvements including enhancements to the Jamf Parent App, iOS updates and restrictions, macOS restrictions and inventory updates, and recovery lock for macOS. In addition, Jamf Setup and Jamf Reset 3.1.0 is available today! The enhancement includes:

Improved UI enhancements for iPad support
Bug fixes and performance improvements

Read the full release notes here.

Kaylee

Cloud Upgrade Schedule
Your Jamf Pro server, including any free sandbox environments, will be updated to Jamf Pro 10.32 based on your hosted data region below.

Need assistance identifying the Hosted Data Region of your Jamf Cloud instance? Check out this guide to find out how.

Hosted Region	Begins	Ends
ap-southeast-2	Sept 17 at 1400 UTC	Sept 17 at 2300 UTC
ap-northeast-1	Sept 17 at 1500 UTC	Sept 17 at 2300 UTC
eu-central-1	Sept 17 at 2200 UTC	Sept 18 at 0800 UTC
eu-west-2	Sept 17 at 2300 UTC	Sept 18 at 0500 UTC
us-east-1	Sept 18 at 0400 UTC	Sept 18 at 1900 UTC
us-east-1 sandbox	Sept 18 at 0000 UTC	Sept 18 at 0900 UTC
us-west-2	Sept 18 at 0700 UTC	Sept 18 at 1900 UTC

Next Steps

For real-time messages about your upgrade, subscribe to alerts.

For information on what's new in Jamf Pro 10.32, please review the release notes.

mschroder · ‎09-07-2021

I am very surprised to see that

- somewhere hidden in the release notes I see "It is strongly recommended that you upgrade to Jamf Pro 10.32.0 as soon as possible. This vulnerability has the potential to impact the integrity and availability of your web server." This is really a very bad way of communicating a critical vulnerability.

- the installer suddenly requires 150 GB of disk space? Are you kidding? And the installer silently quits, and I need to search for the reason.

I have my database on an external server, so I certainly don't need 150GB of free disk space to update the jss. Can someone tell me were I can fix the installer so I can update my JSS and secure my server and all the devices it configures?

cbrewer · ‎09-08-2021

It looks to me like it's only a recommendation to have 150GB free space. I successfully upgraded a test environment with only 40GB free.

grahamrpugh · ‎09-07-2021

Regarding the security vulnerabilities, given that we run a service with an SLA, we require information about whether an emergency change is required. Otherwise we have a 2 week wait for any break in service. So I need concrete information about whether the vulnerability affects us before submitting an ECR. For example, can the vulnerability penetrate through a load balancer when the Jamf Pro Servers themselves are protected by firewall?

mikeindabush · ‎09-07-2021

It looks like this release, according to the release notes, patches 3 serious security vulnerabilities. Why is that not addressed up-front either in this post or why was no notice sent out about the vulnerabilities like the notice that was sent for the 10.30.1 release?

mvanstone · ‎09-07-2021

Upgraded from 10.30.3 to 10.32, no issues.

All seems ok.

boberito · ‎09-08-2021

I'm not sure how an organization goes about getting CVEs and registered through that system, but I feel like Jamf is large enough and in enough critical locations they really need to be issuing CVEs and real disclosure of security issues like this. Comparing 1 product or company to another isn't always the best BUT other management tools such as Workspace One, BigFix, Maas360, and MobileIron issue CVEs and this type of information correctly when they have issues.

I really love Jamf and wave the flag, but they're no longer a small company with a niche market share, they're THE tool for macOS management. It's a publicly traded company. They can't continue acting like some small startup.

grahamrpugh · ‎09-08-2021

I get why they aren't publicly releasing information yet. We need time to upgrade, and revealing the vulnerability in detail just makes that more urgent.

However, I would like to be contacted privately with some details, like a severity score and whether it affects on-premises and/or cloud, if load balancers are any protection, and whether we should be blocking access until we can upgrade, etc.

In fact, only one of our team were notified of the release of 10.32 by email at all, and the email was, according to my colleague, "very strange, in German, no images/logos, looked very much like spam". If he'd been on holiday I would possibly have no idea of the release. That's not good enough.

mvanstone · ‎09-08-2021

Dealing with the Microsoft Exchange issues the past few months has been scary for me, servers getting hacked and loaded with ransomware.

Any Internet facing server with a vulnerability is a giant risk. I patched immediately I don’t want to find a web shell sitting on my jamf server.

These vulnerabilities should have a CVE score so people know how to react.

kaylee_carlson · ‎09-10-2021

Thank you for your patience as we make the CVE and CVSS information available. We continue to strive to get this information to the community as fast and safe as we are able to for medium or higher issues.

catesr · ‎09-13-2021

As mentioned above. It would be nice to know if this is a on-premise situation only or does it affect cloud customers as well. I can only guess it's on-premise as we are cloud and our upgrade 10.32 is not scheduled until this coming Friday. 😮

Aaron_Kiemele · ‎09-13-2021

The CVEs mentioned above are applicable to on-prem and cloud environments. If a CVE is only relevant to a portion of our customers, that we clearly mark it as such.

To limit the chance of someone exploiting responsibly disclosed vulnerabilities while customer owned instances are still being patched, we restrict the full details on the CVE. In this particular case, Jamf Cloud customers aren't required to take any action in order to further safeguard their Jamf Pro instances. When you choose to host in Jamf Cloud we have additional mechanisms to ensure the security of your instances.

peternbevan · ‎09-13-2021

Shouldn't this important announcement be pinned at the top? I just happened to come across it after a LOT of scrolling. Now I've got to put a Change Request in process as soon as possible to get our system patched.

CasperSally5432 · ‎09-17-2021

I just logged in to read release notes and am seeing mention about the vuln there. Was an email sent and this is another security related email I never got from jamf? Customers shouldn't be expected to come to jamf.com to get info like this.

[PI-006352] This release fixes a security vulnerability with Jamf Pro. It is strongly recommended that you upgrade to Jamf Pro 10.32.0 as soon as possible. This vulnerability has the potential to impact the integrity and availability of your web server. More details will be communicated via email and on Jamf Nation.

Jamf Nation Community

What's new in Jamf Pro 10.32 Release