CRITICAL UPDATE: F-Secure Policy Manager, Policy Manager Proxy, F-Secure Endpoint Proxy
An advisory for a critical-ranking vulnerability known as Log4J-RCE (CVE-2021-44228) was disclosed on December 10th 2021. Along with products from many other vendors, F-Secure has identified that this vulnerability also affects the following products:
- F-Secure Policy Manager
- F-Secure Policy Manager for Linux
- F-Secure Policy Manager Proxy
- F-Secure Policy Manager Proxy for Linux
- F-Secure Endpoint Proxy
All versions of these products are affected.
We have created a deployable fix for this vulnerability.
1. Download the patch from the F-Secure server : https://download.f-secure.com/corpro/pm/commons-java-log4j-nolookups.jar
2. Check the SHA256 hash of the file if possible to verify its integrity. It should be 64f7e4e1c6617447a24b0fe44ec7b4776883960cc42cc86be68c613d23ccd5e0
3. Stop the Policy Manager Server
4. Copy the downloaded file to
- Windows Policy Manager: C:\Program Files (x86)\F-Secure\Management Server 5\lib\
- Windows Endpoint Proxy: C:\Program Files\F-Secure\ElementsConnector\lib
- Linux (all products): /opt/f-secure/fspms/lib
5. Start the Policy Manager Server
After the service restart, the patch will automatically be taken into use.
Note: This patch only applies to version 14 and version 15 of the affected software. It will also apply to version 13, although this version is out of support.
CTA: [ Download Patch : https://download.f-secure.com/corpro/pm/commons-java-log4j-nolookups.jar