Skip to content

F-Secure Products | Log4j Vulnerability

The below post lists the F-Secure products that has been affected by Log4j Vulnerability.Almost all the products and versions of F-Secure has been affected by this Vulnerability. F-Secure team has patched and released a jar file commons-java-log4j-nolookups.jar which needs to be downloaded from F-Secure site and place in a particular folder so that when F-Secure is restarted the patch would be followed (Detailed steps are given below)

F-Secure ProductVersionsStatusPatched?
F-Secure Policy ManagerAllFix
F-Secure Policy Manager for LinuxAllFix
F-Secure Policy Manager ProxyAll
F-Secure Policy Manager Proxy for LinuxAll
 F-Secure Endpoint ProxyAll

Steps for Applying F-Secure Patch:

Step 1:  Download the patch from the F-Secure server :

Step 2: SHA-256 hash of the file should be 64f7e4e1c6617447a24b0fe44ec7b4776883960cc42cc86be68c613d23ccd5e0

Step 3: Stop the Policy Manager Server

Step 4: Commons-java-log4j-nolookup.jar should be copied to these locations (under lib folder of your F-Secure installations)

Windows Policy Manager:F-Secure/Management Server 5/lib/
Windows Endpoint Proxy:C:/../F-Secure/ElementsConnector/lib

Linux (all products): /opt/f-secure/fspms/lib 

Step 5: Start the Policy Manager Server

After the Policy Manager Server restart, the patch would be automatically picked up and applied to F-Secure.

The patch is only for 14 & 15th versions which are supported. For version 13th this can be still applied.