https://communities.sas.com/t5/Administration-and-Deployment/Log4j-Vulnerability-Remediation-required-for-SAS-client-tools/m-p/787083#M23574 <P>Hi,</P><P>&nbsp;</P><P>Kindly advice if&nbsp;Log4j Vulnerability Remediation is to be performed for SAS client tools (like SAS Enterprise Guide) and if so what are the steps. In such case we would need to have it fixed for all users who would have installed SAS EG. Please advice.</P> Wed, 22 Dec 2021 11:43:35 GMT judie_c1 2021-12-22T11:43:35Z https://communities.sas.com/t5/Administration-and-Deployment/Log4j-Vulnerability-Remediation-required-for-SAS-client-tools/m-p/787083#M23574 <P>Hi,</P><P>&nbsp;</P><P>Kindly advice if&nbsp;Log4j Vulnerability Remediation is to be performed for SAS client tools (like SAS Enterprise Guide) and if so what are the steps. In such case we would need to have it fixed for all users who would have installed SAS EG. Please advice.</P> Wed, 22 Dec 2021 11:43:35 GMT https://communities.sas.com/t5/Administration-and-Deployment/Log4j-Vulnerability-Remediation-required-for-SAS-client-tools/m-p/787083#M23574 judie_c1 2021-12-22T11:43:35Z https://communities.sas.com/t5/Administration-and-Deployment/Log4j-Vulnerability-Remediation-required-for-SAS-client-tools/m-p/787091#M23576 <P>Hi&nbsp;<a href="https://communities.sas.com/t5/user/viewprofilepage/user-id/366172">@judie_c1</a>,</P> <P>Here are the links to SAS resources regarding log4j:</P> <P><A href="https://support.sas.com/content/support/en/security-bulletins/remote-code-execution-vulnerability-cve-2021-44228.html" target="_self">SAS Statement Regarding Remote Code Execution Vulnerability</A></P> <P>SAS Blog post&nbsp;<A href="https://blogs.sas.com/content/sgf/2021/12/13/cve-2021-44228-log4j/" target="_self">Updates on the Apache Log4j CVE-2021-44228 vulnerability</A></P> <P><A href="https://communities.sas.com/t5/Administration-and-Deployment/SAS-response-recommendations-for-zero-day-log4j2-CVE-2021-44228/m-p/785489#M23520" target="_self">Lengthy Community thread with many questions / responses</A></P> <P>&nbsp;</P> <P>I hope this helps,</P> <P>Joe</P> Wed, 22 Dec 2021 13:08:43 GMT https://communities.sas.com/t5/Administration-and-Deployment/Log4j-Vulnerability-Remediation-required-for-SAS-client-tools/m-p/787091#M23576 joeFurbee 2021-12-22T13:08:43Z https://communities.sas.com/t5/Administration-and-Deployment/Log4j-Vulnerability-Remediation-required-for-SAS-client-tools/m-p/787175#M23579 <P>A lot will depend on how EG was installed. If it was installed via an EG standalone installer then it is unlikely log4j software is included. I did a quick check on my laptop and can't find it in any EG install directories.</P> <P>&nbsp;</P> <P>On the other hand if an installation was done from a full SAS Software Depot and that depot was copied to a client PC hard drive then the depot may contain log4j software. Also if SAS client tools other than EG were installed then it is possible log4j software will be included.</P> <P>&nbsp;</P> <P>The bottom line is you really need to search any local hard drives to be sure. In Windows Explorer search for this - <CODE class="xisDoc-directedUserInput">log4j-core-2.*.jar</CODE></P> Wed, 22 Dec 2021 22:06:56 GMT https://communities.sas.com/t5/Administration-and-Deployment/Log4j-Vulnerability-Remediation-required-for-SAS-client-tools/m-p/787175#M23579 SASKiwi 2021-12-22T22:06:56Z https://communities.sas.com/t5/Administration-and-Deployment/Log4j-Vulnerability-Remediation-required-for-SAS-client-tools/m-p/787250#M23582 <P>SAS Enterprise Guide is a Microsoft .Net application.No Log4j patching.<BR />However for client tools from server (SAS Studio etc) should be covered by patching in the server.<BR />In case of a doubt SAS Tech Support should be of great help.</P> Thu, 23 Dec 2021 16:14:39 GMT https://communities.sas.com/t5/Administration-and-Deployment/Log4j-Vulnerability-Remediation-required-for-SAS-client-tools/m-p/787250#M23582 Sajid01 2021-12-23T16:14:39Z https://communities.sas.com/t5/Administration-and-Deployment/Log4j-Vulnerability-Remediation-required-for-SAS-client-tools/m-p/787262#M23583 <P>EG is, as mentioned, based on .NET, so it will have other vulnerabilities (after all, .NET is from Microsoft <span class="lia-unicode-emoji" title=":winking_face:">😉</span> )</P> <P>&nbsp;</P> <P>But if you have other clients installed locally (Management Console, Information Map Studio, OLAP Cube Studio), these are based on Java and might carry vulnerabilities, although the danger is not as big as on servers (you would have to somehow create a loggable event in those apps - on your own! - that carries a malicious string)</P> Thu, 23 Dec 2021 16:59:26 GMT https://communities.sas.com/t5/Administration-and-Deployment/Log4j-Vulnerability-Remediation-required-for-SAS-client-tools/m-p/787262#M23583 Kurt_Bremser 2021-12-23T16:59:26Z https://communities.sas.com/t5/Administration-and-Deployment/Log4j-Vulnerability-Remediation-required-for-SAS-client-tools/m-p/796015#M23792 <P>is there any order we need to do the log4j remediation? like start with meta, compute and then mid-tier ?</P> Mon, 14 Feb 2022 09:04:00 GMT https://communities.sas.com/t5/Administration-and-Deployment/Log4j-Vulnerability-Remediation-required-for-SAS-client-tools/m-p/796015#M23792 muduki 2022-02-14T09:04:00Z