Update on mitigations to log4j vulnerability and Jamf

[Paul Stephen]

Hi

I am sharing the below this advisory from Jamf.  

 

On December 9, 2021, a Remote Code Execution (RCE) vulnerability (CVE-2021-44228) was identified in the log4j library (https://www.lunasec.io/docs/blog/log4j-zero-day/) and multiple threat actors have been found to be scanning for vulnerable systems. We are actively working to assess the impact and mitigate the vulnerability across our platform (tracked as PI-010403).

 

Due to the nature of the issue, this is considered a critical vulnerability.

 

What Jamf products are impacted by the vulnerability?

 

Jamf Pro (hosted on-premises): Affected

Jamf Pro 10.14 and later include Java 11 which partially mitigated the issue. We are actively working on a complete mitigation in a new Jamf Pro release. Until this version is available, a manual workaround to update the log4j library directly is documented below.

 

Jamf Pro (Jamf Cloud and Jamf Cloud Premium): Mitigated

Customers utilizing our cloud-based products have had the vulnerability mitigated through appropriate security controls. No further actions are necessary.

 

Jamf Connect: Not affected

Jamf Connect does not use the affected libraries.

 

Jamf Now: Not affected

Jamf Now does not use the affected libraries.

 

Jamf Protect: Not affected

Jamf Protect does not use the affected libraries.

 

Jamf School: Not affected

Jamf School does not use the affected libraries.

 

Jamf Threat Defense: Not affected

Jamf Threat Defense does not use the affected libraries.

 

Jamf Data Policy: Not affected

Jamf Data Policy does not use the affected libraries.

 

Jamf Private Access: Not affected

Jamf Private Access does not use the affected libraries.

 

Health Care Listener: Not vulnerable

While Health Care Listener does utilize the library that includes the vulnerability, it cannot be exploited by an attacker.

 

Jamf Infrastructure Manager: Not vulnerable

While Health Care Listener does utilize the library that includes the vulnerability, it cannot be exploited by an attacker.

 

Next Steps

We will be releasing updates for affected products as quickly as feasible. However, you can choose to work around the issue by manually updating the log4j instances of the affected systems as described in our technical documentation. If you choose to implement the manual workaround as described, future version updates will not be affected. For assistance with this workaround, please reach out to sup...@jamf.com.

 

We are actively continuing to assess the impact and mitigate the vulnerability across our platform. Please note that some customers may experience brief Jamf Cloud interruptions over the weekend as a result of security updates and refinements. If you have any questions, please reach out to Customer Success.