Remediating Log4Shell on Jamf Pro
2021-12-14 06:14:36 Author: derflounder.wordpress.com(查看原文) 阅读量:80 收藏

Home > Jamf Pro, Java > Remediating Log4Shell on Jamf Pro

Remediating Log4Shell on Jamf Pro

On Thursday, December 9th 2021, a vulnerability was discovered in the popular Java logging library (log4j) which allowed for Remote Code Execution (RCE) by logging a certain string. This vulnerability has been dubbed Log4shell:

Log4Shell (yes it has a name, I'll do a logo in MS Paint soon) is now CVE-2021-44228.

Impacted versions of Log4j (2.0 – 2.14.1) are indeed in Apache Struts2. Your JDK config may save you from exploitation, some distros ship secure configs by default.

— Kevin Beaumont (@GossiTheDog) December 10, 2021

How bad is this? I’ll let the below video of a Minecraft server being changed into a DOOM server via this vulnerability speak to how a remote attacker could use Log4shell to give you a bad day:

so fixing log4shell is great and all, but.. wouldn't it be ✨ amazing ✨ if we all just promised to be nice and instead use this power to make vanilla minecraft doom server 🤔 pic.twitter.com/tCaUCG1dqg

— Gegy (@gegy1000) December 11, 2021

It’s bad. It’s hard to overstate how bad. My colleague Ben Toms has a good write up on this issue here:

https://macmule.com/2021/12/11/jamf-pro-and-log4shell-cve-2021-44228

To address this vulnerability, the log4j folks have released an updated version of the logging tool which is not vulnerable. It’s log4j 2.1.5 and is available for download via the link below:

https://logging.apache.org/log4j/2.x/download.html

The files to download are one of the following two:

  • Apache log4j 2 binary (tar.gz)
  • Apache log4j 2 binary (zip)

Both have the same contents, the main difference is how they are compressed. Once downloaded and uncompressed, you should have the following files:


LICENSE.txt
NOTICE.txt
RELEASE-NOTES.md
log4j-1.2-api-2.15.0-javadoc.jar
log4j-1.2-api-2.15.0-sources.jar
log4j-1.2-api-2.15.0.jar
log4j-api-2.15.0-javadoc.jar
log4j-api-2.15.0-sources.jar
log4j-api-2.15.0.jar
log4j-appserver-2.15.0-javadoc.jar
log4j-appserver-2.15.0-sources.jar
log4j-appserver-2.15.0.jar
log4j-cassandra-2.15.0-javadoc.jar
log4j-cassandra-2.15.0-sources.jar
log4j-cassandra-2.15.0.jar
log4j-core-2.15.0-javadoc.jar
log4j-core-2.15.0-sources.jar
log4j-core-2.15.0-tests.jar
log4j-core-2.15.0.jar
log4j-couchdb-2.15.0-javadoc.jar
log4j-couchdb-2.15.0-sources.jar
log4j-couchdb-2.15.0.jar
log4j-docker-2.15.0-javadoc.jar
log4j-docker-2.15.0-sources.jar
log4j-docker-2.15.0.jar
log4j-flume-ng-2.15.0-javadoc.jar
log4j-flume-ng-2.15.0-sources.jar
log4j-flume-ng-2.15.0.jar
log4j-iostreams-2.15.0-javadoc.jar
log4j-iostreams-2.15.0-sources.jar
log4j-iostreams-2.15.0.jar
log4j-jcl-2.15.0-javadoc.jar
log4j-jcl-2.15.0-sources.jar
log4j-jcl-2.15.0.jar
log4j-jdbc-dbcp2-2.15.0-javadoc.jar
log4j-jdbc-dbcp2-2.15.0-sources.jar
log4j-jdbc-dbcp2-2.15.0.jar
log4j-jmx-gui-2.15.0-javadoc.jar
log4j-jmx-gui-2.15.0-sources.jar
log4j-jmx-gui-2.15.0.jar
log4j-jpa-2.15.0-javadoc.jar
log4j-jpa-2.15.0-sources.jar
log4j-jpa-2.15.0.jar
log4j-jul-2.15.0-javadoc.jar
log4j-jul-2.15.0-sources.jar
log4j-jul-2.15.0.jar
log4j-liquibase-2.15.0-javadoc.jar
log4j-liquibase-2.15.0-sources.jar
log4j-liquibase-2.15.0.jar
log4j-mongodb3-2.15.0-javadoc.jar
log4j-mongodb3-2.15.0-sources.jar
log4j-mongodb3-2.15.0.jar
log4j-mongodb4-2.15.0-javadoc.jar
log4j-mongodb4-2.15.0-sources.jar
log4j-mongodb4-2.15.0.jar
log4j-slf4j-impl-2.15.0-javadoc.jar
log4j-slf4j-impl-2.15.0-sources.jar
log4j-slf4j-impl-2.15.0.jar
log4j-slf4j18-impl-2.15.0-javadoc.jar
log4j-slf4j18-impl-2.15.0-sources.jar
log4j-slf4j18-impl-2.15.0.jar
log4j-spring-boot-2.15.0-javadoc.jar
log4j-spring-boot-2.15.0-sources.jar
log4j-spring-boot-2.15.0.jar
log4j-spring-cloud-config-client-2.15.0-javadoc.jar
log4j-spring-cloud-config-client-2.15.0-sources.jar
log4j-spring-cloud-config-client-2.15.0.jar
log4j-taglib-2.15.0-javadoc.jar
log4j-taglib-2.15.0-sources.jar
log4j-taglib-2.15.0.jar
log4j-to-slf4j-2.15.0-javadoc.jar
log4j-to-slf4j-2.15.0-sources.jar
log4j-to-slf4j-2.15.0.jar
log4j-web-2.15.0-javadoc.jar
log4j-web-2.15.0-sources.jar
log4j-web-2.15.0.jar

The ones relevant to Jamf Pro are the following:

  • log4j-1.2-api-2.15.0.jar
  • log4j-api-2.15.0.jar
  • log4j-core-2.15.0.jar
  • log4j-slf4j-impl-2.15.0.jar

For more details, please see below the jump.

The folks at Jamf jumped on this issue and they’ve put together a list of how this affects their products which use the log4j logging tool:


What Jamf products are impacted by the vulnerability?
Jamf Pro (hosted on-premises): Patched
Jamf Pro versions older than 10.14 are vulnerable to this issue. Versions 10.14 through 10.34 include Java 11, which partially mitigates the issue. The Jamf Pro 10.34.1 release was made available to address the issue completely. Please update to this version as soon as possible.
Jamf Pro (Jamf Cloud and Jamf Cloud Premium) Mitigated
Customers utilizing our cloud-based products have had the vulnerability mitigated through appropriate security controls. No further actions are necessary.
Jamf Connect: Not affected
Jamf Connect does not use the affected libraries.
Jamf Now: Not affected
Jamf Now does not use the affected libraries.
Jamf Protect: Not affected
Jamf Protect does not use the affected libraries.
Jamf School: Not affected
Jamf School does not use the affected libraries.
Jamf Threat Defense: Not affected
Jamf Threat Defense does not use the affected libraries.
Jamf Data Policy: Not affected
Jamf Data Policy does not use the affected libraries.
Jamf Private Access: Not affected
Jamf Private Access does not use the affected libraries.
Health Care Listener: Not vulnerable
While Health Care Listener does utilize the library that includes the vulnerability, it cannot be exploited by an attacker.
Jamf Infrastructure Manager: Not vulnerable
While Jamf Infrastructure Manager does utilize the library that includes the vulnerability, it cannot be exploited by an attacker.

To summarize, Jamf found that the main product which was vulnerable was Jamf Pro. To protect Jamf Cloud-hosted instances, Jamf was able to implement security controls on their end to mitigate the vulnerability. These controls allowed Jamf to block remote attempts to use the vulnerability without needing to upgrade everyone to a new version of Jamf Pro.

For folks hosting their own Jamf Pro instances, Jamf has released Jamf Pro 10.34.1. For folks in a position to upgrade, upgrading to Jamf Pro 10.34.1 is the best answer. This version of Jamf Pro includes the fixed 2.15.0 version of log4j and installs the following files:

  • log4j-1.2-api-2.15.0.jar
  • log4j-api-2.15.0.jar
  • log4j-core-2.15.0.jar
  • log4j-slf4j-impl-2.15.0.jar

These files are located in the following directories on platforms which support running Jamf Pro Server:

  • Linux:
    • /usr/local/jss/tomcat/webapps/ROOT/WEB-INF/lib/
  • Windows:
    • C:\Program Files\JSS\Tomcat\webapps\ROOT\WEB-INF\lib\
  • macOS:
    • /Library/JSS/Tomcat/webapps/ROOT/WEB-INF/lib/

If for some reason it is not possible to upgrade to Jamf Pro 10.34.1 at this time and your Jamf Pro Server is not hosted in Jamf Cloud, it is also possible to mitigate the vulnerability by manually copying the updated version of the log4j tools into place. Jamf has a technical article posted which describes this process. If you are not able to upgrade to 10.34.1 and you’re hosting Jamf Pro outside of Jamf Cloud, I strongly recommend following this article to get the updated log4j.jar files in place as soon as possible.

Note: Something very important to know is that these logging tools are replaced as part of a normal Jamf Pro upgrade, so if you’re not upgrading to Jamf Pro 10.34.1 or later, this fix would need to be re-applied for each upgrade.

If you’re upgrading from an older version of Jamf Pro and need to upgrade to certain vulnerable versions along the way to getting to the latest version, you will need to repeat manually re-adding the non-vulnerable log4j.jar files as part of each upgrade.


文章来源: https://derflounder.wordpress.com/2021/12/13/remediating-log4shell-on-jamf-pro/
如有侵权请联系:admin#unsafe.sh