Remediating Log4Shell on Jamf Pro
On Thursday, December 9th 2021, a vulnerability was discovered in the popular Java logging library (log4j) which allowed for Remote Code Execution (RCE) by logging a certain string. This vulnerability has been dubbed Log4shell:
https://twitter.com/GossiTheDog/status/1469252309058306051?s=20
How bad is this? I’ll let the below video of a Minecraft server being changed into a DOOM server via this vulnerability speak to how a remote attacker could use Log4shell to give you a bad day:
It’s bad. It’s hard to overstate how bad. My colleague Ben Toms has a good write up on this issue here:
https://macmule.com/2021/12/11/jamf-pro-and-log4shell-cve-2021-44228
To address this vulnerability, the log4j folks have released an updated version of the logging tool which is not vulnerable. It’s log4j 2.1.5 and is available for download via the link below:
https://logging.apache.org/log4j/2.x/download.html
Update 12-15-2021:
Log4j 2.16.0 has been released to address remaining vulnerabilities in 2.15.0 by completely disabling Java Naming and Directory Interface (JNDI) lookups by default. It can be downloaded via the link below:
https://logging.apache.org/log4j/2.x/download.html
Insecure JNDI lookups are what enable the Log4Shell vulnerability, so having JNDI disabled by default in addition to 2.16.0’s removal of its message lookups functionality fixes the vulnerability .
Jamf has stated that they have evaluated CVE-2021-45046, which prompted the release of 2.16.0, and the results of their evaluation are that it does not appear that the conditions which are covered by CVE-2021-45046 should occur with Jamf’s products.
As of December 15th 2021, Jamf has not provided guidance on updating from log4j 2.15.0 to log4j 2.16.0
The files to download are one of the following two:
- Apache log4j 2 binary (tar.gz)
- Apache log4j 2 binary (zip)
Both have the same contents, the main difference is how they are compressed. Once downloaded and uncompressed, you should have the following files:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| LICENSE.txt | |
| NOTICE.txt | |
| RELEASE-NOTES.md | |
| log4j-1.2-api-2.15.0-javadoc.jar | |
| log4j-1.2-api-2.15.0-sources.jar | |
| log4j-1.2-api-2.15.0.jar | |
| log4j-api-2.15.0-javadoc.jar | |
| log4j-api-2.15.0-sources.jar | |
| log4j-api-2.15.0.jar | |
| log4j-appserver-2.15.0-javadoc.jar | |
| log4j-appserver-2.15.0-sources.jar | |
| log4j-appserver-2.15.0.jar | |
| log4j-cassandra-2.15.0-javadoc.jar | |
| log4j-cassandra-2.15.0-sources.jar | |
| log4j-cassandra-2.15.0.jar | |
| log4j-core-2.15.0-javadoc.jar | |
| log4j-core-2.15.0-sources.jar | |
| log4j-core-2.15.0-tests.jar | |
| log4j-core-2.15.0.jar | |
| log4j-couchdb-2.15.0-javadoc.jar | |
| log4j-couchdb-2.15.0-sources.jar | |
| log4j-couchdb-2.15.0.jar | |
| log4j-docker-2.15.0-javadoc.jar | |
| log4j-docker-2.15.0-sources.jar | |
| log4j-docker-2.15.0.jar | |
| log4j-flume-ng-2.15.0-javadoc.jar | |
| log4j-flume-ng-2.15.0-sources.jar | |
| log4j-flume-ng-2.15.0.jar | |
| log4j-iostreams-2.15.0-javadoc.jar | |
| log4j-iostreams-2.15.0-sources.jar | |
| log4j-iostreams-2.15.0.jar | |
| log4j-jcl-2.15.0-javadoc.jar | |
| log4j-jcl-2.15.0-sources.jar | |
| log4j-jcl-2.15.0.jar | |
| log4j-jdbc-dbcp2-2.15.0-javadoc.jar | |
| log4j-jdbc-dbcp2-2.15.0-sources.jar | |
| log4j-jdbc-dbcp2-2.15.0.jar | |
| log4j-jmx-gui-2.15.0-javadoc.jar | |
| log4j-jmx-gui-2.15.0-sources.jar | |
| log4j-jmx-gui-2.15.0.jar | |
| log4j-jpa-2.15.0-javadoc.jar | |
| log4j-jpa-2.15.0-sources.jar | |
| log4j-jpa-2.15.0.jar | |
| log4j-jul-2.15.0-javadoc.jar | |
| log4j-jul-2.15.0-sources.jar | |
| log4j-jul-2.15.0.jar | |
| log4j-liquibase-2.15.0-javadoc.jar | |
| log4j-liquibase-2.15.0-sources.jar | |
| log4j-liquibase-2.15.0.jar | |
| log4j-mongodb3-2.15.0-javadoc.jar | |
| log4j-mongodb3-2.15.0-sources.jar | |
| log4j-mongodb3-2.15.0.jar | |
| log4j-mongodb4-2.15.0-javadoc.jar | |
| log4j-mongodb4-2.15.0-sources.jar | |
| log4j-mongodb4-2.15.0.jar | |
| log4j-slf4j-impl-2.15.0-javadoc.jar | |
| log4j-slf4j-impl-2.15.0-sources.jar | |
| log4j-slf4j-impl-2.15.0.jar | |
| log4j-slf4j18-impl-2.15.0-javadoc.jar | |
| log4j-slf4j18-impl-2.15.0-sources.jar | |
| log4j-slf4j18-impl-2.15.0.jar | |
| log4j-spring-boot-2.15.0-javadoc.jar | |
| log4j-spring-boot-2.15.0-sources.jar | |
| log4j-spring-boot-2.15.0.jar | |
| log4j-spring-cloud-config-client-2.15.0-javadoc.jar | |
| log4j-spring-cloud-config-client-2.15.0-sources.jar | |
| log4j-spring-cloud-config-client-2.15.0.jar | |
| log4j-taglib-2.15.0-javadoc.jar | |
| log4j-taglib-2.15.0-sources.jar | |
| log4j-taglib-2.15.0.jar | |
| log4j-to-slf4j-2.15.0-javadoc.jar | |
| log4j-to-slf4j-2.15.0-sources.jar | |
| log4j-to-slf4j-2.15.0.jar | |
| log4j-web-2.15.0-javadoc.jar | |
| log4j-web-2.15.0-sources.jar | |
| log4j-web-2.15.0.jar |
The ones relevant to Jamf Pro are the following:
- log4j-1.2-api-2.15.0.jar
- log4j-api-2.15.0.jar
- log4j-core-2.15.0.jar
- log4j-slf4j-impl-2.15.0.jar
For more details, please see below the jump.
The folks at Jamf jumped on this issue and they’ve put together a list of how this affects their products which use the log4j logging tool:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| What Jamf products are impacted by the vulnerability? | |
| Jamf Pro (hosted on-premises): Patched | |
| Jamf Pro versions older than 10.14 are vulnerable to this issue. Versions 10.14 through 10.34 include Java 11, which partially mitigates the issue. The Jamf Pro 10.34.1 release was made available to address the issue completely. Please update to this version as soon as possible. | |
| Jamf Pro (Jamf Cloud and Jamf Cloud Premium) Mitigated | |
| Customers utilizing our cloud-based products have had the vulnerability mitigated through appropriate security controls. No further actions are necessary. | |
| Jamf Connect: Not affected | |
| Jamf Connect does not use the affected libraries. | |
| Jamf Now: Not affected | |
| Jamf Now does not use the affected libraries. | |
| Jamf Protect: Not affected | |
| Jamf Protect does not use the affected libraries. | |
| Jamf School: Not affected | |
| Jamf School does not use the affected libraries. | |
| Jamf Threat Defense: Not affected | |
| Jamf Threat Defense does not use the affected libraries. | |
| Jamf Data Policy: Not affected | |
| Jamf Data Policy does not use the affected libraries. | |
| Jamf Private Access: Not affected | |
| Jamf Private Access does not use the affected libraries. | |
| Health Care Listener: Not vulnerable | |
| While Health Care Listener does utilize the library that includes the vulnerability, it cannot be exploited by an attacker. | |
| Jamf Infrastructure Manager: Not vulnerable | |
| While Jamf Infrastructure Manager does utilize the library that includes the vulnerability, it cannot be exploited by an attacker. |
To summarize, Jamf found that the main product which was vulnerable was Jamf Pro. To protect Jamf Cloud-hosted instances, Jamf was able to implement security controls on their end to mitigate the vulnerability. These controls allowed Jamf to block remote attempts to use the vulnerability without needing to upgrade everyone to a new version of Jamf Pro.
For folks hosting their own Jamf Pro instances, Jamf has released Jamf Pro 10.34.1. For folks in a position to upgrade, upgrading to Jamf Pro 10.34.1 is the best answer. This version of Jamf Pro includes the fixed 2.15.0 version of log4j and installs the following files:
- log4j-1.2-api-2.15.0.jar
- log4j-api-2.15.0.jar
- log4j-core-2.15.0.jar
- log4j-slf4j-impl-2.15.0.jar
These files are located in the following directories on platforms which support running Jamf Pro Server:
- Linux:
- /usr/local/jss/tomcat/webapps/ROOT/WEB-INF/lib/
- Windows:
- C:\Program Files\JSS\Tomcat\webapps\ROOT\WEB-INF\lib\
- macOS:
- /Library/JSS/Tomcat/webapps/ROOT/WEB-INF/lib/
If for some reason it is not possible to upgrade to Jamf Pro 10.34.1 at this time and your Jamf Pro Server is not hosted in Jamf Cloud, it is also possible to mitigate the vulnerability by manually copying the updated version of the log4j tools into place. Jamf has a technical article posted which describes this process. If you are not able to upgrade to 10.34.1 and you’re hosting Jamf Pro outside of Jamf Cloud, I strongly recommend following this article to get the updated log4j.jar files in place as soon as possible.
Note: Something very important to know is that these logging tools are replaced as part of a normal Jamf Pro upgrade, so if you’re not upgrading to Jamf Pro 10.34.1 or later, this fix would need to be re-applied for each upgrade.
If you’re upgrading from an older version of Jamf Pro and need to upgrade to certain vulnerable versions along the way to getting to the latest version, you will need to repeat manually re-adding the non-vulnerable log4j.jar files as part of each upgrade.
Leave a comment
Recent Comments
 | Ben LeRoy on Losing a giant |
 | Peter-Erik on Downloading installer packages… |
 | nathanhaggard on Losing a giant |
 | andras0602 on Disabling login window clock d… |
 | Jeff on Losing a giant |
Der Flounder 
We are running 10.29 Jamf Pro version hosted on premise, we don’t find those reported files in above given locations to be deleted and replaced as per the instructions.
Can you please suggest, is it something to be copied down even those jar files are not exists.
The files have to exist somewhere. It’s quite possible you installed Tomcat in a nonstandard location. Figure out where that is, and then follow Rich’s path.