Home > Jamf Pro, Java > Remediating Log4Shell on Jamf Pro

Remediating Log4Shell on Jamf Pro

On Thursday, December 9th 2021, a vulnerability was discovered in the popular Java logging library (log4j) which allowed for Remote Code Execution (RCE) by logging a certain string. This vulnerability has been dubbed Log4shell:

How bad is this? I’ll let the below video of a Minecraft server being changed into a DOOM server via this vulnerability speak to how a remote attacker could use Log4shell to give you a bad day:

It’s bad. It’s hard to overstate how bad. My colleague Ben Toms has a good write up on this issue here:

https://macmule.com/2021/12/11/jamf-pro-and-log4shell-cve-2021-44228

To address this vulnerability, the log4j folks have released an updated version of the logging tool which is not vulnerable. It’s log4j 2.1.5 and is available for download via the link below:

https://logging.apache.org/log4j/2.x/download.html


Update 12-15-2021:

Log4j 2.16.0 has been released to address remaining vulnerabilities in 2.15.0 by completely disabling Java Naming and Directory Interface (JNDI) lookups by default. It can be downloaded via the link below:

https://logging.apache.org/log4j/2.x/download.html

Insecure JNDI lookups are what enable the Log4Shell vulnerability, so having JNDI disabled by default in addition to 2.16.0’s removal of its message lookups functionality fixes the vulnerability .

Jamf has stated that they have evaluated CVE-2021-45046, which prompted the release of 2.16.0, and the results of their evaluation are that it does not appear that the conditions which are covered by CVE-2021-45046 should occur with Jamf’s products.

Screen Shot 2021-12-15 at 10.28.24 AM

As of December 15th 2021, Jamf has not provided guidance on updating from log4j 2.15.0 to log4j 2.16.0


The files to download are one of the following two:

  • Apache log4j 2 binary (tar.gz)
  • Apache log4j 2 binary (zip)

Both have the same contents, the main difference is how they are compressed. Once downloaded and uncompressed, you should have the following files:


LICENSE.txt
NOTICE.txt
RELEASE-NOTES.md
log4j-1.2-api-2.15.0-javadoc.jar
log4j-1.2-api-2.15.0-sources.jar
log4j-1.2-api-2.15.0.jar
log4j-api-2.15.0-javadoc.jar
log4j-api-2.15.0-sources.jar
log4j-api-2.15.0.jar
log4j-appserver-2.15.0-javadoc.jar
log4j-appserver-2.15.0-sources.jar
log4j-appserver-2.15.0.jar
log4j-cassandra-2.15.0-javadoc.jar
log4j-cassandra-2.15.0-sources.jar
log4j-cassandra-2.15.0.jar
log4j-core-2.15.0-javadoc.jar
log4j-core-2.15.0-sources.jar
log4j-core-2.15.0-tests.jar
log4j-core-2.15.0.jar
log4j-couchdb-2.15.0-javadoc.jar
log4j-couchdb-2.15.0-sources.jar
log4j-couchdb-2.15.0.jar
log4j-docker-2.15.0-javadoc.jar
log4j-docker-2.15.0-sources.jar
log4j-docker-2.15.0.jar
log4j-flume-ng-2.15.0-javadoc.jar
log4j-flume-ng-2.15.0-sources.jar
log4j-flume-ng-2.15.0.jar
log4j-iostreams-2.15.0-javadoc.jar
log4j-iostreams-2.15.0-sources.jar
log4j-iostreams-2.15.0.jar
log4j-jcl-2.15.0-javadoc.jar
log4j-jcl-2.15.0-sources.jar
log4j-jcl-2.15.0.jar
log4j-jdbc-dbcp2-2.15.0-javadoc.jar
log4j-jdbc-dbcp2-2.15.0-sources.jar
log4j-jdbc-dbcp2-2.15.0.jar
log4j-jmx-gui-2.15.0-javadoc.jar
log4j-jmx-gui-2.15.0-sources.jar
log4j-jmx-gui-2.15.0.jar
log4j-jpa-2.15.0-javadoc.jar
log4j-jpa-2.15.0-sources.jar
log4j-jpa-2.15.0.jar
log4j-jul-2.15.0-javadoc.jar
log4j-jul-2.15.0-sources.jar
log4j-jul-2.15.0.jar
log4j-liquibase-2.15.0-javadoc.jar
log4j-liquibase-2.15.0-sources.jar
log4j-liquibase-2.15.0.jar
log4j-mongodb3-2.15.0-javadoc.jar
log4j-mongodb3-2.15.0-sources.jar
log4j-mongodb3-2.15.0.jar
log4j-mongodb4-2.15.0-javadoc.jar
log4j-mongodb4-2.15.0-sources.jar
log4j-mongodb4-2.15.0.jar
log4j-slf4j-impl-2.15.0-javadoc.jar
log4j-slf4j-impl-2.15.0-sources.jar
log4j-slf4j-impl-2.15.0.jar
log4j-slf4j18-impl-2.15.0-javadoc.jar
log4j-slf4j18-impl-2.15.0-sources.jar
log4j-slf4j18-impl-2.15.0.jar
log4j-spring-boot-2.15.0-javadoc.jar
log4j-spring-boot-2.15.0-sources.jar
log4j-spring-boot-2.15.0.jar
log4j-spring-cloud-config-client-2.15.0-javadoc.jar
log4j-spring-cloud-config-client-2.15.0-sources.jar
log4j-spring-cloud-config-client-2.15.0.jar
log4j-taglib-2.15.0-javadoc.jar
log4j-taglib-2.15.0-sources.jar
log4j-taglib-2.15.0.jar
log4j-to-slf4j-2.15.0-javadoc.jar
log4j-to-slf4j-2.15.0-sources.jar
log4j-to-slf4j-2.15.0.jar
log4j-web-2.15.0-javadoc.jar
log4j-web-2.15.0-sources.jar
log4j-web-2.15.0.jar

view raw

output.txt

hosted with ❤ by GitHub

The ones relevant to Jamf Pro are the following:

  • log4j-1.2-api-2.15.0.jar
  • log4j-api-2.15.0.jar
  • log4j-core-2.15.0.jar
  • log4j-slf4j-impl-2.15.0.jar

For more details, please see below the jump.

The folks at Jamf jumped on this issue and they’ve put together a list of how this affects their products which use the log4j logging tool:


What Jamf products are impacted by the vulnerability?
Jamf Pro (hosted on-premises): Patched
Jamf Pro versions older than 10.14 are vulnerable to this issue. Versions 10.14 through 10.34 include Java 11, which partially mitigates the issue. The Jamf Pro 10.34.1 release was made available to address the issue completely. Please update to this version as soon as possible.
Jamf Pro (Jamf Cloud and Jamf Cloud Premium) Mitigated
Customers utilizing our cloud-based products have had the vulnerability mitigated through appropriate security controls. No further actions are necessary.
Jamf Connect: Not affected
Jamf Connect does not use the affected libraries.
Jamf Now: Not affected
Jamf Now does not use the affected libraries.
Jamf Protect: Not affected
Jamf Protect does not use the affected libraries.
Jamf School: Not affected
Jamf School does not use the affected libraries.
Jamf Threat Defense: Not affected
Jamf Threat Defense does not use the affected libraries.
Jamf Data Policy: Not affected
Jamf Data Policy does not use the affected libraries.
Jamf Private Access: Not affected
Jamf Private Access does not use the affected libraries.
Health Care Listener: Not vulnerable
While Health Care Listener does utilize the library that includes the vulnerability, it cannot be exploited by an attacker.
Jamf Infrastructure Manager: Not vulnerable
While Jamf Infrastructure Manager does utilize the library that includes the vulnerability, it cannot be exploited by an attacker.

view raw

gistfile1.txt

hosted with ❤ by GitHub

To summarize, Jamf found that the main product which was vulnerable was Jamf Pro. To protect Jamf Cloud-hosted instances, Jamf was able to implement security controls on their end to mitigate the vulnerability. These controls allowed Jamf to block remote attempts to use the vulnerability without needing to upgrade everyone to a new version of Jamf Pro.

For folks hosting their own Jamf Pro instances, Jamf has released Jamf Pro 10.34.1. For folks in a position to upgrade, upgrading to Jamf Pro 10.34.1 is the best answer. This version of Jamf Pro includes the fixed 2.15.0 version of log4j and installs the following files:

  • log4j-1.2-api-2.15.0.jar
  • log4j-api-2.15.0.jar
  • log4j-core-2.15.0.jar
  • log4j-slf4j-impl-2.15.0.jar

These files are located in the following directories on platforms which support running Jamf Pro Server:

  • Linux:
    • /usr/local/jss/tomcat/webapps/ROOT/WEB-INF/lib/
  • Windows:
    • C:\Program Files\JSS\Tomcat\webapps\ROOT\WEB-INF\lib\
  • macOS:
    • /Library/JSS/Tomcat/webapps/ROOT/WEB-INF/lib/

If for some reason it is not possible to upgrade to Jamf Pro 10.34.1 at this time and your Jamf Pro Server is not hosted in Jamf Cloud, it is also possible to mitigate the vulnerability by manually copying the updated version of the log4j tools into place. Jamf has a technical article posted which describes this process. If you are not able to upgrade to 10.34.1 and you’re hosting Jamf Pro outside of Jamf Cloud, I strongly recommend following this article to get the updated log4j.jar files in place as soon as possible.

Note: Something very important to know is that these logging tools are replaced as part of a normal Jamf Pro upgrade, so if you’re not upgrading to Jamf Pro 10.34.1 or later, this fix would need to be re-applied for each upgrade.

If you’re upgrading from an older version of Jamf Pro and need to upgrade to certain vulnerable versions along the way to getting to the latest version, you will need to repeat manually re-adding the non-vulnerable log4j.jar files as part of each upgrade.

Categories: Jamf Pro, Java
  1. Kishore Bandaru
    December 14, 2021 at 4:26 am

    We are running 10.29 Jamf Pro version hosted on premise, we don’t find those reported files in above given locations to be deleted and replaced as per the instructions.

    Can you please suggest, is it something to be copied down even those jar files are not exists.

    • December 14, 2021 at 4:59 pm

      The files have to exist somewhere. It’s quite possible you installed Tomcat in a nonstandard location. Figure out where that is, and then follow Rich’s path.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: