A couple of days ago, a high severity vulnerability (CVE-2021-44228) impacting multiple versions of the Log4j 2 utility was disclosed publicly via the project’s GitHub.
The vulnerability itself allows for Remote Code Execution (RCE) by logging a certain string, with the potential the impact of the exploit being full server control.
More information on this vulnerability can be found at numerous sources, including the below:
Log4j 2 is included within Jamf Pro for logging, but don’t panic!
If you’re a Jamf Cloud customer, then this has already been mitigated as per this post on Jamf Nation.
If you self host Jamf Pro, then the below applies:
Jamf Pro versions older than 10.14 are vulnerable to this issue. Versions 10.14 through 10.34 include Java 11, which partially mitigates the issue. The Jamf Pro 10.34.1 release was made available to address the issue completely. Please update to this version as soon as possible.https://community.jamf.com/t5/jamf-pro/third-party-security-issue/td-p/253740
If you cannot upgrade to 10.34.1, you can manually update Log4j as per the steps documented here.
And, if you are having to upgrade from a few versions behind, don’t go alone.. take this.
One thought on “Jamf Pro and log4shell (CVE-2021-44228)”