Archive

Archive for December 13, 2021

Remediating Log4Shell on Jamf Pro

December 13, 2021 2 comments

On Thursday, December 9th 2021, a vulnerability was discovered in the popular Java logging library (log4j) which allowed for Remote Code Execution (RCE) by logging a certain string. This vulnerability has been dubbed Log4shell:

How bad is this? I’ll let the below video of a Minecraft server being changed into a DOOM server via this vulnerability speak to how a remote attacker could use Log4shell to give you a bad day:

It’s bad. It’s hard to overstate how bad. My colleague Ben Toms has a good write up on this issue here:

https://macmule.com/2021/12/11/jamf-pro-and-log4shell-cve-2021-44228

To address this vulnerability, the log4j folks have released an updated version of the logging tool which is not vulnerable. It’s log4j 2.1.5 and is available for download via the link below:

https://logging.apache.org/log4j/2.x/download.html


Update 12-15-2021:

Log4j 2.16.0 has been released to address remaining vulnerabilities in 2.15.0 by completely disabling Java Naming and Directory Interface (JNDI) lookups by default. It can be downloaded via the link below:

https://logging.apache.org/log4j/2.x/download.html

Insecure JNDI lookups are what enable the Log4Shell vulnerability, so having JNDI disabled by default in addition to 2.16.0’s removal of its message lookups functionality fixes the vulnerability .

Jamf has stated that they have evaluated CVE-2021-45046, which prompted the release of 2.16.0, and the results of their evaluation are that it does not appear that the conditions which are covered by CVE-2021-45046 should occur with Jamf’s products.

Screen Shot 2021-12-15 at 10.28.24 AM

As of December 15th 2021, Jamf has not provided guidance on updating from log4j 2.15.0 to log4j 2.16.0


The files to download are one of the following two:

  • Apache log4j 2 binary (tar.gz)
  • Apache log4j 2 binary (zip)

Both have the same contents, the main difference is how they are compressed. Once downloaded and uncompressed, you should have the following files:


LICENSE.txt
NOTICE.txt
RELEASE-NOTES.md
log4j-1.2-api-2.15.0-javadoc.jar
log4j-1.2-api-2.15.0-sources.jar
log4j-1.2-api-2.15.0.jar
log4j-api-2.15.0-javadoc.jar
log4j-api-2.15.0-sources.jar
log4j-api-2.15.0.jar
log4j-appserver-2.15.0-javadoc.jar
log4j-appserver-2.15.0-sources.jar
log4j-appserver-2.15.0.jar
log4j-cassandra-2.15.0-javadoc.jar
log4j-cassandra-2.15.0-sources.jar
log4j-cassandra-2.15.0.jar
log4j-core-2.15.0-javadoc.jar
log4j-core-2.15.0-sources.jar
log4j-core-2.15.0-tests.jar
log4j-core-2.15.0.jar
log4j-couchdb-2.15.0-javadoc.jar
log4j-couchdb-2.15.0-sources.jar
log4j-couchdb-2.15.0.jar
log4j-docker-2.15.0-javadoc.jar
log4j-docker-2.15.0-sources.jar
log4j-docker-2.15.0.jar
log4j-flume-ng-2.15.0-javadoc.jar
log4j-flume-ng-2.15.0-sources.jar
log4j-flume-ng-2.15.0.jar
log4j-iostreams-2.15.0-javadoc.jar
log4j-iostreams-2.15.0-sources.jar
log4j-iostreams-2.15.0.jar
log4j-jcl-2.15.0-javadoc.jar
log4j-jcl-2.15.0-sources.jar
log4j-jcl-2.15.0.jar
log4j-jdbc-dbcp2-2.15.0-javadoc.jar
log4j-jdbc-dbcp2-2.15.0-sources.jar
log4j-jdbc-dbcp2-2.15.0.jar
log4j-jmx-gui-2.15.0-javadoc.jar
log4j-jmx-gui-2.15.0-sources.jar
log4j-jmx-gui-2.15.0.jar
log4j-jpa-2.15.0-javadoc.jar
log4j-jpa-2.15.0-sources.jar
log4j-jpa-2.15.0.jar
log4j-jul-2.15.0-javadoc.jar
log4j-jul-2.15.0-sources.jar
log4j-jul-2.15.0.jar
log4j-liquibase-2.15.0-javadoc.jar
log4j-liquibase-2.15.0-sources.jar
log4j-liquibase-2.15.0.jar
log4j-mongodb3-2.15.0-javadoc.jar
log4j-mongodb3-2.15.0-sources.jar
log4j-mongodb3-2.15.0.jar
log4j-mongodb4-2.15.0-javadoc.jar
log4j-mongodb4-2.15.0-sources.jar
log4j-mongodb4-2.15.0.jar
log4j-slf4j-impl-2.15.0-javadoc.jar
log4j-slf4j-impl-2.15.0-sources.jar
log4j-slf4j-impl-2.15.0.jar
log4j-slf4j18-impl-2.15.0-javadoc.jar
log4j-slf4j18-impl-2.15.0-sources.jar
log4j-slf4j18-impl-2.15.0.jar
log4j-spring-boot-2.15.0-javadoc.jar
log4j-spring-boot-2.15.0-sources.jar
log4j-spring-boot-2.15.0.jar
log4j-spring-cloud-config-client-2.15.0-javadoc.jar
log4j-spring-cloud-config-client-2.15.0-sources.jar
log4j-spring-cloud-config-client-2.15.0.jar
log4j-taglib-2.15.0-javadoc.jar
log4j-taglib-2.15.0-sources.jar
log4j-taglib-2.15.0.jar
log4j-to-slf4j-2.15.0-javadoc.jar
log4j-to-slf4j-2.15.0-sources.jar
log4j-to-slf4j-2.15.0.jar
log4j-web-2.15.0-javadoc.jar
log4j-web-2.15.0-sources.jar
log4j-web-2.15.0.jar

view raw

output.txt

hosted with ❤ by GitHub

The ones relevant to Jamf Pro are the following:

  • log4j-1.2-api-2.15.0.jar
  • log4j-api-2.15.0.jar
  • log4j-core-2.15.0.jar
  • log4j-slf4j-impl-2.15.0.jar

For more details, please see below the jump.

Read more…

Categories: Jamf Pro, Java
%d bloggers like this: