F-Secure Policy Manager 15.30 has been released, which includes a revised Java Runtime Environment which addresses these issues without the need to patch. Customers are advised to take this into use at their earliest opportunity.
F-Secure Policy Manager and related products listed below are NOT affected by this new vulnerability, and the existing patch resolves all known issues. F-Secure Elements Connector has been automatically upgraded to a patched version and no customer action is needed. We do advise customers to check they have the latest version installed though.
An advisory for a critical-ranking vulnerability known as Log4J-RCE (CVE-2021-44228) was disclosed on December 10th 2021. Along with products from many other vendors, F-Secure has identified that this vulnerability also affects the following products:
- F-Secure Policy Manager - F-Secure Policy Manager for Linux - F-Secure Policy Manager Proxy - F-Secure Policy Manager Proxy for Linux - F-Secure Endpoint Proxy
All versions of these products are affected.
We have created a deployable fix for this vulnerability.
2. Check the SHA256 hash of the file if possible to verify its integrity. It should be 64f7e4e1c6617447a24b0fe44ec7b4776883960cc42cc86be68c613d23ccd5e0
3. Stop the Policy Manager Server
4. Copy the downloaded file to - Windows Policy Manager: C:\Program Files (x86)\F-Secure\Management Server 5\lib\ - Windows Endpoint Proxy: C:\Program Files\F-Secure\ElementsConnector\lib - Linux (all products): /opt/f-secure/fspms/lib
5. Start the Policy Manager Server
After the service restart, the patch will automatically be taken into use.
Note: This patch only applies to version 14 and version 15 of the affected software. It will also apply to version 13, although this version is out of support.
An advisory for a critical-ranking vulnerability known as Log4J-RCE was disclosed on December 10th 2021. We are investigating any impact this may have on our products or services to take immediate steps where appropriate. Detections will protect users from this exploit in any vulnerable applications.
This vulnerability affects the “Log4j” Java-based logging tool which is part of the Apache Logging Services project of the Apache Software Foundation. The tool is widely used by enterprises around the world for application development. This exploit can be executed remotely, potentially allowing attackers to take full control of an affected server. Proof-of-concept code has been published and reports show that this vulnerability is being actively exploited in the wild. As the situation evolves, the latest information about our products and services can be found here.