Mitigating the Apache Log4j 2 Vulnerability

On December 15, 2021, a security vulnerability was identified in Apache Log4j 2 version 2.15.0 or earlier (CVE-2021-45046 and CVE-2021-44228). This vulnerability poses a risk to private data and the availability of your web server. It has the potential to impact managed devices directly. This vulnerability has been resolved in Jamf Pro 10.34.2.

Jamf recommends upgrading to Jamf Pro 10.35.0 or later as soon as possible. If you cannot upgrade to 10.35.0 or later, follow the instructions below for your platform to mitigate this vulnerability.

Important:

If you do not upgrade to Jamf Pro 10.34.2 or later, you will need to perform this mitigation after each upgrade.

Mitigating the Apache Log4j 2 Vulnerability on Linux

Requirements

Jamf Pro 10.31.0–10.35.0

  1. Stop Tomcat. See Starting and Stopping Tomcat for instructions.
  2. Navigate to the default Jamf Pro installation path: /usr/local/jss/tomcat/webapps/ROOT/WEB-INF/lib/
  3. Delete the following files:
    • log4j-1.2-api-2.13.3.jar

    • log4j-api-2.13.3.jar

    • log4j-core-2.13.3.jar

    • log4j-slf4j-impl-2.13.3.jar

  4. Download apache-log4j-2.17.0-bin.tar.gz or later from the following webpage: https://logging.apache.org/log4j/2.x/download.html.
  5. Extract the contents of the file by executing the following command:
    tar -xf apache-log4j-2.17.0-bin.tar.gz
  6. Move the following extracted files to the /usr/local/jss/tomcat/webapps/ROOT/WEB-INF/lib/ directory:
    • log4j-1.2-api-2.17.0.jar

    • log4j-api-2.17.0.jar

    • log4j-core-2.17.0.jar

    • log4j-slf4j-impl-2.17.0.jar

  7. Verify the permissions for the files are correct by comparing permissions to the other files in the directory.
  8. Start Tomcat. See Starting and Stopping Tomcat for instructions.

Mitigating the Apache Log4j 2 Vulnerability on Windows

Requirements

Jamf Pro 10.31.0–10.35.0

  1. Stop Tomcat. See Starting and Stopping Tomcat for instructions.
  2. Navigate to the default Jamf Pro installation path: C:\Program Files\JSS\Tomcat\webapps\ROOT\WEB-INF\lib\
  3. Delete the following files:
    • log4j-1.2-api-2.13.3.jar

    • log4j-api-2.13.3.jar

    • log4j-core-2.13.3.jar

    • log4j-slf4j-impl-2.13.3.jar

  4. Download apache-log4j-2.17.0-bin.zip or later from the following webpage: https://logging.apache.org/log4j/2.x/download.html
  5. Unzip apache-log4j-2.17.0-bin.zip
  6. Navigate to the unzipped apache-log4j-2.17.0-bin directory.
  7. Move the following extracted files to the C:\Program Files\JSS\Tomcat\webapps\ROOT\WEB-INF\lib\ directory:
    • log4j-1.2-api-2.17.0.jar

    • log4j-api-2.17.0.jar

    • log4j-core-2.17.0.jar

    • log4j-slf4j-impl-2.17.0.jar

  8. Verify the permissions for the files are correct by comparing permissions to the other files in the directory.
  9. Start Tomcat. See Starting and Stopping Tomcat for instructions.

Mitigating the Apache Log4j 2 Vulnerability on macOS

Requirements

Jamf Pro 10.31.0–10.35.0

  1. Stop Tomcat. See Starting and Stopping Tomcat for instructions.
  2. Navigate to the Jamf Pro installation path: /Library/JSS/Tomcat/webapps/ROOT/WEB-INF/lib/
  3. Delete the following files:
    • log4j-1.2-api-2.13.3.jar

    • log4j-api-2.13.3.jar

    • log4j-core-2.13.3.jar

    • log4j-slf4j-impl-2.13.3.jar

  4. Download apache-log4j-2.17.0-bin.tar.gz or later from the following webpage: https://logging.apache.org/log4j/2.x/download.html.
  5. Extract the contents of the file by executing the following command:
    tar -xf apache-log4j-2.17.0-bin.tar.gz
  6. Move the following extracted files to the /Library/JSS/Tomcat/webapps/ROOT/WEB-INF/lib/ directory:
    • log4j-1.2-api-2.17.0.jar

    • log4j-api-2.17.0.jar

    • log4j-core-2.17.0.jar

    • log4j-slf4j-impl-2.17.0.jar

  7. Verify the permissions for the files are correct by comparing permissions to the other files in the directory.
  8. Start Tomcat. See Starting and Stopping Tomcat for instructions.