BookmarkSubscribeRSS Feed
🔒 This topic is solved and locked. Need further help from the community? Please sign in and ask a new question.
blashmet
Calcite | Level 5

When the recommended Java installation option is used with SAS, does SAS install the browser plugin/component of Java, or is this a special "localized" version of Java only utilized by SAS?

I'm not sure if this is correct, but it seems like Java vulnerabilities are only exploitable when Java is enabled in a browser.

I ask because we are currently required to keep Java updated on SAS workstations, but this doesn't seem necessary if the SAS version of Java isn't really open to Java vulnerabilities (since it's not interfacing with the internet).

Any help would be appreciated.  Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions
Mark_sas
SAS Employee

Note that the answer is actually different for 9.3 and 9.4.  For 9.3, SAS ships a standard JRE install which does indeed include the browser plug-in.  For 9.4, SAS uses a private JRE which does not install the browser plug-in and does not impact other applications on the system.


Register today and join us virtually on June 16!
sasglobalforum.com | #SASGF

View now: on-demand content for SAS users

View solution in original post

20 REPLIES 20
jakarman
Barite | Level 11

The standard SAS installation on a desktop will try to replace the default java installation.
This approach will lock you in to be dependent of the browser/default version.

Knowing that it is better to define a localized java version by yourself and use that as the SAS version.

The advice is to install that SAS-JPRE, private java versions(s) on a local drive.
Once I got different behavior when it was installed on a network-drive or a local-drive as something with locking the log-files and more.

The SAS-code that will use this Java-run time can be placed on network drives. The ini-files are having the options/settings and there are no windows-registry or dll's involved. You could use a copy-deploy approach.  The more difficult clients are Eguide Amo and SAS/base as they are for more integrating into Windows.   

For fun after 9.3 the encoding of the JAVA environment is used in SAS not of the used OS.

---->-- ja karman --<-----
blashmet
Calcite | Level 5

Thanks for your comments, however, I'm not sure they answered my questions.

To reiterate,

I want to know if allowing SAS to install Java means the browser component of Java will also be installed. If not, is that system still open to Java vulnerabilities?

jakarman
Barite | Level 11

Blashmet.

To repeat:

If you only type setup and say yes to all the defaults it will also do the browser (standard java install).

a/ You will be vulnerable by the browser by that java version

b/ you change/update process is introducing a dependicy. Some updates of java may be hurt SAS processing.

Change te installations approach you do not use that combined approach.

Do not use the same java-vm for the browser and SAS. So:

a/ you can still disable/not run java in the browser or use a dedicated verfied version for that. You will not be vulnerable at that part.

b/ run the SAS system with JAVA in a well secure OS security setting. No

    matter how buggy java is it will not get out of that OS isolation level of your user /ssytem processes.  (do not run them root level)

The browser vulnerablilty is caused by braking barriers of outer/world - inner world.

That is a non-existent situation when running SAS as it is only the innner-world,      

---->-- ja karman --<-----
Mark_sas
SAS Employee

Note that the answer is actually different for 9.3 and 9.4.  For 9.3, SAS ships a standard JRE install which does indeed include the browser plug-in.  For 9.4, SAS uses a private JRE which does not install the browser plug-in and does not impact other applications on the system.


Register today and join us virtually on June 16!
sasglobalforum.com | #SASGF

View now: on-demand content for SAS users

jakarman
Barite | Level 11

Thanks mark, that is indeed an improvement asm it is avoiding the default Oracle Java-installation procedure.
There are more challenges like:

-  the .Net security and manifest file being abandoned by Microsoft.

- Vritualisation issues as of CCM (former Soft-Grid) with the default smaller machine setups as of VDI

- The reference file to a webserver with EMiner as part of the clientsoftware not the client configuration

- ...

Any improvements / "what is new" on those parts? 

I Could not resist to ask this because there a lot of issues getting SAS installations aligned according common IT governance policies.

---->-- ja karman --<-----
blashmet
Calcite | Level 5

Is there a way to use a "private" version of Java with SAS 9.3? Is there a way to simply delete the browser plugin?

Mark_sas
SAS Employee

SAS 9.3 relies on a public JRE, either the one included in your order or one which is preinstalled on your system.  You'll need to consult your public JRE supplier if you're looking for a way to delete the browser plugin.  The last I explored this, Oracle recommended you disable the plugin via disabling Java in the browser interface rather than supplying a way to avoid installing it in the first place.


Register today and join us virtually on June 16!
sasglobalforum.com | #SASGF

View now: on-demand content for SAS users

Andre
Obsidian | Level 7

Last week, i have observed that with the update of Java 1.7.0.45

this security update was destroying every other java directory inside

c:\Programs Files\Java

so the version of 9.3.2 32bits  were touched by this as at origin where you were

accepting the install of Sas the 1.6.0.24 was installed by defaut in

the directory where oracle is now purging anything else the jre7

the consequence was no graphics inside SAs and a

ERROR: The Java proxy is not responding.
ERROR: The Java proxy's JNI call to start the VM failed.
ERROR: Java failed to start during the SAS startup.

the by pass i have found is to correct

all the sasv9.cfg

For 9.3.2, the urgency by pass consist perhaps in modifying the config files (case windows 7 32 bits sas 9.3.2 32 bits)

-Dsas.jre.libjvm=C:\PROGRA~1\Java\JRE7\bin\client\jvm.dll

and the sassw.config and wrapper.conf files with the new location of the 32bits java

\java\JRE7\

Andre

Andre
Obsidian | Level 7

I must add that this morning 24 october, the oracle update 1.0.7.45 was not more uninstalling the 1.0.6.24

so the maintenanceof a bundle of  individual windows install  is now easier than last week

Andre

jakarman
Barite | Level 11

Andre, That behavior with all errors is "as expected" in the way I have described before.
You just changed the java version inside base/Foundation.
When other clients are involved (amo 9.3 and up) DI studio SMC  you could have same unpredictable results by java updates.

The ini files of these clients  combined to a wrapper are having the location of the java.  

A JPRE is a simple copy of an existing JAVA version to an other location. That is as easy to create by  yourself.

Having the Original needed java version somewhere you can extract/isolate that with no hard work.

---->-- ja karman --<-----
blashmet
Calcite | Level 5

Does this mean one can create a JPRE and copy it from machine to machine without installing the browser plugin? For example, one just copies the Java folder and points SAS to it?

jakarman
Barite | Level 11

Blashmet, Yes copying it is as easy that way that is JVM (JPRE) behavior.

.

---->-- ja karman --<-----
blashmet
Calcite | Level 5

How does one create a JPRE without installing the broswer plugin? Do I copy the folder C:\Program Files (x86)\Java from a machine where I ran the installer to the new machine with SAS, and then point the SAS config files to it?

On another note, since it seems like SAS has the capability of connecting to the internet (see here), don't we still have to worry about Java vulnerabilities even if an old version of Java is in use by SAS and the browser plugin is not installed?

jakarman
Barite | Level 11

When you go to: C:\Program Files\Java\jre7\bin  you will find the exe files SAS is referring to in their config / ini files (java run-time).

The welcome-html file is telling it has a run-time and a browser plugin. The browser plugin is working/found by windows registry settings.     

Indeed just copy the jvm to another location will give you a usable JVM without touching windows registry.

If you do not have installed the browser plug of java it won't get touched by malicious webpages.

What is not there, cannot harm you. Do you need to use java for one strange reason you can do the updates as needed for the browser.

Having an isolated SAS java version you can delete all other old versions, so everyone must be convinced it is a safe situation.

You could find a java version in the %sashome% location (installation 9.3)  as many clients are using a dedicted java (encoding part) version.

---->-- ja karman --<-----

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

CLI in SAS Viya

Learn how to install the SAS Viya CLI and a few commands you may find useful in this video by SAS’ Darrell Barton.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 20 replies
  • 3875 views
  • 6 likes
  • 4 in conversation