On Thursday, December 9th 2021, a vulnerability was discovered in the popular Java logging library (log4j) which allowed for Remote Code Execution (RCE) by logging a certain string. This vulnerability has been dubbed Log4shell:
Log4Shell (yes it has a name, I'll do a logo in MS Paint soon) is now CVE-2021-44228.
Impacted versions of Log4j (2.0 – 2.14.1) are indeed in Apache Struts2. Your JDK config may save you from exploitation, some distros ship secure configs by default.
— Kevin Beaumont (@GossiTheDog) December 10, 2021
How bad is this? I’ll let the below video of a Minecraft server being changed into a DOOM server via this vulnerability speak to how a remote attacker could use Log4shell to give you a bad day:
so fixing log4shell is great and all, but.. wouldn't it be ✨ amazing ✨ if we all just promised to be nice and instead use this power to make vanilla minecraft doom server 🤔 pic.twitter.com/tCaUCG1dqg
— Gegy (@gegy1000) December 11, 2021
It’s bad. It’s hard to overstate how bad. My colleague Ben Toms has a good write up on this issue here:
https://macmule.com/2021/12/11/jamf-pro-and-log4shell-cve-2021-44228
To address this vulnerability, the log4j folks have released an updated version of the logging tool which is not vulnerable. It’s log4j 2.1.5 and is available for download via the link below:
https://logging.apache.org/log4j/2.x/download.html
The files to download are one of the following two:
Both have the same contents, the main difference is how they are compressed. Once downloaded and uncompressed, you should have the following files:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
LICENSE.txt | |
NOTICE.txt | |
RELEASE-NOTES.md | |
log4j-1.2-api-2.15.0-javadoc.jar | |
log4j-1.2-api-2.15.0-sources.jar | |
log4j-1.2-api-2.15.0.jar | |
log4j-api-2.15.0-javadoc.jar | |
log4j-api-2.15.0-sources.jar | |
log4j-api-2.15.0.jar | |
log4j-appserver-2.15.0-javadoc.jar | |
log4j-appserver-2.15.0-sources.jar | |
log4j-appserver-2.15.0.jar | |
log4j-cassandra-2.15.0-javadoc.jar | |
log4j-cassandra-2.15.0-sources.jar | |
log4j-cassandra-2.15.0.jar | |
log4j-core-2.15.0-javadoc.jar | |
log4j-core-2.15.0-sources.jar | |
log4j-core-2.15.0-tests.jar | |
log4j-core-2.15.0.jar | |
log4j-couchdb-2.15.0-javadoc.jar | |
log4j-couchdb-2.15.0-sources.jar | |
log4j-couchdb-2.15.0.jar | |
log4j-docker-2.15.0-javadoc.jar | |
log4j-docker-2.15.0-sources.jar | |
log4j-docker-2.15.0.jar | |
log4j-flume-ng-2.15.0-javadoc.jar | |
log4j-flume-ng-2.15.0-sources.jar | |
log4j-flume-ng-2.15.0.jar | |
log4j-iostreams-2.15.0-javadoc.jar | |
log4j-iostreams-2.15.0-sources.jar | |
log4j-iostreams-2.15.0.jar | |
log4j-jcl-2.15.0-javadoc.jar | |
log4j-jcl-2.15.0-sources.jar | |
log4j-jcl-2.15.0.jar | |
log4j-jdbc-dbcp2-2.15.0-javadoc.jar | |
log4j-jdbc-dbcp2-2.15.0-sources.jar | |
log4j-jdbc-dbcp2-2.15.0.jar | |
log4j-jmx-gui-2.15.0-javadoc.jar | |
log4j-jmx-gui-2.15.0-sources.jar | |
log4j-jmx-gui-2.15.0.jar | |
log4j-jpa-2.15.0-javadoc.jar | |
log4j-jpa-2.15.0-sources.jar | |
log4j-jpa-2.15.0.jar | |
log4j-jul-2.15.0-javadoc.jar | |
log4j-jul-2.15.0-sources.jar | |
log4j-jul-2.15.0.jar | |
log4j-liquibase-2.15.0-javadoc.jar | |
log4j-liquibase-2.15.0-sources.jar | |
log4j-liquibase-2.15.0.jar | |
log4j-mongodb3-2.15.0-javadoc.jar | |
log4j-mongodb3-2.15.0-sources.jar | |
log4j-mongodb3-2.15.0.jar | |
log4j-mongodb4-2.15.0-javadoc.jar | |
log4j-mongodb4-2.15.0-sources.jar | |
log4j-mongodb4-2.15.0.jar | |
log4j-slf4j-impl-2.15.0-javadoc.jar | |
log4j-slf4j-impl-2.15.0-sources.jar | |
log4j-slf4j-impl-2.15.0.jar | |
log4j-slf4j18-impl-2.15.0-javadoc.jar | |
log4j-slf4j18-impl-2.15.0-sources.jar | |
log4j-slf4j18-impl-2.15.0.jar | |
log4j-spring-boot-2.15.0-javadoc.jar | |
log4j-spring-boot-2.15.0-sources.jar | |
log4j-spring-boot-2.15.0.jar | |
log4j-spring-cloud-config-client-2.15.0-javadoc.jar | |
log4j-spring-cloud-config-client-2.15.0-sources.jar | |
log4j-spring-cloud-config-client-2.15.0.jar | |
log4j-taglib-2.15.0-javadoc.jar | |
log4j-taglib-2.15.0-sources.jar | |
log4j-taglib-2.15.0.jar | |
log4j-to-slf4j-2.15.0-javadoc.jar | |
log4j-to-slf4j-2.15.0-sources.jar | |
log4j-to-slf4j-2.15.0.jar | |
log4j-web-2.15.0-javadoc.jar | |
log4j-web-2.15.0-sources.jar | |
log4j-web-2.15.0.jar |
The ones relevant to Jamf Pro are the following:
For more details, please see below the jump.
The folks at Jamf jumped on this issue and they’ve put together a list of how this affects their products which use the log4j logging tool:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
What Jamf products are impacted by the vulnerability? | |
Jamf Pro (hosted on-premises): Patched | |
Jamf Pro versions older than 10.14 are vulnerable to this issue. Versions 10.14 through 10.34 include Java 11, which partially mitigates the issue. The Jamf Pro 10.34.1 release was made available to address the issue completely. Please update to this version as soon as possible. | |
Jamf Pro (Jamf Cloud and Jamf Cloud Premium) Mitigated | |
Customers utilizing our cloud-based products have had the vulnerability mitigated through appropriate security controls. No further actions are necessary. | |
Jamf Connect: Not affected | |
Jamf Connect does not use the affected libraries. | |
Jamf Now: Not affected | |
Jamf Now does not use the affected libraries. | |
Jamf Protect: Not affected | |
Jamf Protect does not use the affected libraries. | |
Jamf School: Not affected | |
Jamf School does not use the affected libraries. | |
Jamf Threat Defense: Not affected | |
Jamf Threat Defense does not use the affected libraries. | |
Jamf Data Policy: Not affected | |
Jamf Data Policy does not use the affected libraries. | |
Jamf Private Access: Not affected | |
Jamf Private Access does not use the affected libraries. | |
Health Care Listener: Not vulnerable | |
While Health Care Listener does utilize the library that includes the vulnerability, it cannot be exploited by an attacker. | |
Jamf Infrastructure Manager: Not vulnerable | |
While Jamf Infrastructure Manager does utilize the library that includes the vulnerability, it cannot be exploited by an attacker. |
To summarize, Jamf found that the main product which was vulnerable was Jamf Pro. To protect Jamf Cloud-hosted instances, Jamf was able to implement security controls on their end to mitigate the vulnerability. These controls allowed Jamf to block remote attempts to use the vulnerability without needing to upgrade everyone to a new version of Jamf Pro.
For folks hosting their own Jamf Pro instances, Jamf has released Jamf Pro 10.34.1. For folks in a position to upgrade, upgrading to Jamf Pro 10.34.1 is the best answer. This version of Jamf Pro includes the fixed 2.15.0 version of log4j and installs the following files:
These files are located in the following directories on platforms which support running Jamf Pro Server:
If for some reason it is not possible to upgrade to Jamf Pro 10.34.1 at this time and your Jamf Pro Server is not hosted in Jamf Cloud, it is also possible to mitigate the vulnerability by manually copying the updated version of the log4j tools into place. Jamf has a technical article posted which describes this process. If you are not able to upgrade to 10.34.1 and you’re hosting Jamf Pro outside of Jamf Cloud, I strongly recommend following this article to get the updated log4j.jar files in place as soon as possible.
Note: Something very important to know is that these logging tools are replaced as part of a normal Jamf Pro upgrade, so if you’re not upgrading to Jamf Pro 10.34.1 or later, this fix would need to be re-applied for each upgrade.
If you’re upgrading from an older version of Jamf Pro and need to upgrade to certain vulnerable versions along the way to getting to the latest version, you will need to repeat manually re-adding the non-vulnerable log4j.jar files as part of each upgrade.