The below post lists the F-Secure products that has been affected by Log4j Vulnerability.Almost all the products and versions of F-Secure has been affected by this Vulnerability. F-Secure team has patched and released a jar file commons-java-log4j-nolookups.jar which needs to be downloaded from F-Secure site and place in a particular folder so that when F-Secure is restarted the patch would be followed (Detailed steps are given below)
F-Secure Product | Versions | Status | Patched? |
---|---|---|---|
F-Secure Policy Manager | All | Fix | |
F-Secure Policy Manager for Linux | All | Fix | |
F-Secure Policy Manager Proxy | All | ||
F-Secure Policy Manager Proxy for Linux | All | ||
F-Secure Endpoint Proxy | All |
Steps for Applying F-Secure Patch:
Step 1: Download the patch from the F-Secure server : https://download.f-secure.com/corpro/pm/commons-java-log4j-nolookups.jar
Step 2: SHA-256 hash of the file should be 64f7e4e1c6617447a24b0fe44ec7b4776883960cc42cc86be68c613d23ccd5e0
Step 3: Stop the Policy Manager Server
Step 4: Commons-java-log4j-nolookup.jar should be copied to these locations (under lib folder of your F-Secure installations)
Windows Policy Manager:F-Secure/Management Server 5/lib/
Windows Endpoint Proxy:C:/../F-Secure/ElementsConnector/lib
Linux (all products): /opt/f-secure/fspms/lib
Step 5: Start the Policy Manager Server
After the Policy Manager Server restart, the patch would be automatically picked up and applied to F-Secure.
The patch is only for 14 & 15th versions which are supported. For version 13th this can be still applied.