Hi,
Kindly advice if Log4j Vulnerability Remediation is to be performed for SAS client tools (like SAS Enterprise Guide) and if so what are the steps. In such case we would need to have it fixed for all users who would have installed SAS EG. Please advice.
A lot will depend on how EG was installed. If it was installed via an EG standalone installer then it is unlikely log4j software is included. I did a quick check on my laptop and can't find it in any EG install directories.
On the other hand if an installation was done from a full SAS Software Depot and that depot was copied to a client PC hard drive then the depot may contain log4j software. Also if SAS client tools other than EG were installed then it is possible log4j software will be included.
The bottom line is you really need to search any local hard drives to be sure. In Windows Explorer search for this - log4j-core-2.*.jar
Hi @judie_c1,
Here are the links to SAS resources regarding log4j:
SAS Statement Regarding Remote Code Execution Vulnerability
SAS Blog post Updates on the Apache Log4j CVE-2021-44228 vulnerability
Lengthy Community thread with many questions / responses
I hope this helps,
Joe
Join us for SAS Community Trivia
SAS Bowl XLVIII, All Things Models
Wednesday, February 19, 2024, at 10:00 a.m. ET | #SASBowl
A lot will depend on how EG was installed. If it was installed via an EG standalone installer then it is unlikely log4j software is included. I did a quick check on my laptop and can't find it in any EG install directories.
On the other hand if an installation was done from a full SAS Software Depot and that depot was copied to a client PC hard drive then the depot may contain log4j software. Also if SAS client tools other than EG were installed then it is possible log4j software will be included.
The bottom line is you really need to search any local hard drives to be sure. In Windows Explorer search for this - log4j-core-2.*.jar
SAS Enterprise Guide is a Microsoft .Net application.No Log4j patching.
However for client tools from server (SAS Studio etc) should be covered by patching in the server.
In case of a doubt SAS Tech Support should be of great help.
EG is, as mentioned, based on .NET, so it will have other vulnerabilities (after all, .NET is from Microsoft 😉 )
But if you have other clients installed locally (Management Console, Information Map Studio, OLAP Cube Studio), these are based on Java and might carry vulnerabilities, although the danger is not as big as on servers (you would have to somehow create a loggable event in those apps - on your own! - that carries a malicious string)
is there any order we need to do the log4j remediation? like start with meta, compute and then mid-tier ?
The SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment.
SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.
Find more tutorials on the SAS Users YouTube channel.