0-day exploit found in the Java logging package log4j2
Incident Report for F-Secure services
Resolved
This incident has been resolved.
Posted Jan 03, 2022 - 13:49 EET
Monitoring
F-Secure Policy Manager 15.30 has been released, which includes a revised Java Runtime Environment which addresses these issues without the need to patch. Customers are advised to take this into use at their earliest opportunity.

You can download the latest version from https://www.f-secure.com/en/business/downloads/policy-manager
Posted Dec 22, 2021 - 13:23 EET
Update
A further vulnerability was discovered in the Log4J component (CVE-2021-45046) and we are continuing to investigate the impact.

F-Secure Messaging Security Gateway is affected and patches are available. For most customers, these have been automatically applied, but please refer to https://community.f-secure.com/common-business-en/kb/articles/9226-the-log4j-vulnerabilities-cve-2021-44228-cve-2021-45046-which-f-secure-products-are-affected-what-it-means-what-steps-should-you-take for more details.

F-Secure Policy Manager and related products listed below are NOT affected by this new vulnerability, and the existing patch resolves all known issues.
F-Secure Elements Connector has been automatically upgraded to a patched version and no customer action is needed. We do advise customers to check they have the latest version installed though.

We recommend that customers regularly check the https://community.f-secure.com/common-business-en/kb/articles/9226-the-log4j-vulnerabilities-cve-2021-44228-cve-2021-45046-which-f-secure-products-are-affected-what-it-means-what-steps-should-you-take for the latest information, but we will update this status as critical information is available.
Posted Dec 16, 2021 - 13:48 EET
Update
Posted Dec 13, 2021 - 09:53 EET
Identified
CRITICAL UPDATE: F-Secure Policy Manager, Policy Manager Proxy, F-Secure Endpoint Proxy

An advisory for a critical-ranking vulnerability known as Log4J-RCE (CVE-2021-44228) was disclosed on December 10th 2021. Along with products from many other vendors, F-Secure has identified that this vulnerability also affects the following products:

- F-Secure Policy Manager
- F-Secure Policy Manager for Linux
- F-Secure Policy Manager Proxy
- F-Secure Policy Manager Proxy for Linux
- F-Secure Endpoint Proxy

All versions of these products are affected.

We have created a deployable fix for this vulnerability.

1. Download the patch from the F-Secure server : https://download.f-secure.com/corpro/pm/commons-java-log4j-nolookups.jar

2. Check the SHA256 hash of the file if possible to verify its integrity. It should be 64f7e4e1c6617447a24b0fe44ec7b4776883960cc42cc86be68c613d23ccd5e0

3. Stop the Policy Manager Server

4. Copy the downloaded file to
- Windows Policy Manager: C:\Program Files (x86)\F-Secure\Management Server 5\lib\
- Windows Endpoint Proxy: C:\Program Files\F-Secure\ElementsConnector\lib
- Linux (all products): /opt/f-secure/fspms/lib 

5. Start the Policy Manager Server

After the service restart, the patch will automatically be taken into use.

Note: This patch only applies to version 14 and version 15 of the affected software. It will also apply to version 13, although this version is out of support.

CTA: [ Download Patch : https://download.f-secure.com/corpro/pm/commons-java-log4j-nolookups.jar ]
Posted Dec 10, 2021 - 22:11 EET
Investigating
An advisory for a critical-ranking vulnerability known as Log4J-RCE was disclosed on December 10th 2021. We are investigating any impact this may have on our products or services to take immediate steps where appropriate. Detections will protect users from this exploit in any vulnerable applications.

This vulnerability affects the “Log4j” Java-based logging tool which is part of the Apache Logging Services project of the Apache Software Foundation. The tool is widely used by enterprises around the world for application development. This exploit can be executed remotely, potentially allowing attackers to take full control of an affected server. Proof-of-concept code has been published and reports show that this vulnerability is being actively exploited in the wild.
As the situation evolves, the latest information about our products and services can be found here.
Posted Dec 10, 2021 - 18:54 EET
This incident affected: Business Suite (Endpoints (Clients & Servers)).