COMMUNITIES

Select Your Region

Visit the Cary, NC, US corporate headquarters site

Americas

Europe

Middle East & Africa

Asia Pacific

View our worldwide contacts list for help finding your region

Americas

Europe

Middle East & Africa

Asia Pacific

Sign In

Get access to My SAS, trials, communities and more.

Sign Out

Get access to My SAS, trials, communities and more.

SAS Sites

sas.com
Support
Blogs
Communities
Developer
Curiosity
Videos

Documentation

Learn
Brand
PartnerNet
Merchandise

Administration and Deployment

Installing and maintaining your SAS environment
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
BookmarkSubscribeRSS Feed
🔒 This topic is solved and locked. Need further help from the community? Please sign in and ask a new question.
judie_c1
Calcite | Level 5 judie_c1
Calcite | Level 5
Go to Solution

Log4j Vulnerability - Remediation required for SAS client tools?

Posted 12-22-2021 06:42 AM (3409 views)

Hi,

 

Kindly advice if Log4j Vulnerability Remediation is to be performed for SAS client tools (like SAS Enterprise Guide) and if so what are the steps. In such case we would need to have it fixed for all users who would have installed SAS EG. Please advice.

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions
SASKiwi
PROC Star SASKiwi
PROC Star

Re: Log4j Vulnerability - Remediation required for SAS client tools?

Posted 12-22-2021 05:06 PM (3207 views)  |   In reply to judie_c1

A lot will depend on how EG was installed. If it was installed via an EG standalone installer then it is unlikely log4j software is included. I did a quick check on my laptop and can't find it in any EG install directories.

 

On the other hand if an installation was done from a full SAS Software Depot and that depot was copied to a client PC hard drive then the depot may contain log4j software. Also if SAS client tools other than EG were installed then it is possible log4j software will be included.

 

The bottom line is you really need to search any local hard drives to be sure. In Windows Explorer search for this - log4j-core-2.*.jar

View solution in original post

5 REPLIES 5
joeFurbee
Community Manager joeFurbee
Community Manager

Re: Log4j Vulnerability - Remediation required for SAS client tools?

Posted 12-22-2021 08:08 AM (3341 views)  |   In reply to judie_c1

Hi @judie_c1,

Here are the links to SAS resources regarding log4j:

SAS Statement Regarding Remote Code Execution Vulnerability

SAS Blog post Updates on the Apache Log4j CVE-2021-44228 vulnerability

Lengthy Community thread with many questions / responses

 

I hope this helps,

Joe


Join us for SAS Community Trivia
SAS Bowl L, PROC HTTP
Wednesday, February 19, 2024, at 10:00 a.m. ET | #SASBowl
SASKiwi
PROC Star SASKiwi
PROC Star

Re: Log4j Vulnerability - Remediation required for SAS client tools?

Posted 12-22-2021 05:06 PM (3208 views)  |   In reply to judie_c1

A lot will depend on how EG was installed. If it was installed via an EG standalone installer then it is unlikely log4j software is included. I did a quick check on my laptop and can't find it in any EG install directories.

 

On the other hand if an installation was done from a full SAS Software Depot and that depot was copied to a client PC hard drive then the depot may contain log4j software. Also if SAS client tools other than EG were installed then it is possible log4j software will be included.

 

The bottom line is you really need to search any local hard drives to be sure. In Windows Explorer search for this - log4j-core-2.*.jar

Sajid01
Meteorite | Level 14 Sajid01
Meteorite | Level 14

Re: Log4j Vulnerability - Remediation required for SAS client tools?

Posted 12-23-2021 11:14 AM (3120 views)  |   In reply to judie_c1

SAS Enterprise Guide is a Microsoft .Net application.No Log4j patching.
However for client tools from server (SAS Studio etc) should be covered by patching in the server.
In case of a doubt SAS Tech Support should be of great help.

Kurt_Bremser
Super User Kurt_Bremser
Super User

Re: Log4j Vulnerability - Remediation required for SAS client tools?

Posted 12-23-2021 11:59 AM (3085 views)  |   In reply to judie_c1

EG is, as mentioned, based on .NET, so it will have other vulnerabilities (after all, .NET is from Microsoft 😉 )

 

But if you have other clients installed locally (Management Console, Information Map Studio, OLAP Cube Studio), these are based on Java and might carry vulnerabilities, although the danger is not as big as on servers (you would have to somehow create a loggable event in those apps - on your own! - that carries a malicious string)

Maxims of Maximally Efficient SAS Programmers
How to convert datasets to data steps
The macro for direct download as ZIP
How to post code
Please vote for Provide Sequential Search Capability for Hash Objects
How to deal with locked files on UNIX
0 Likes
muduki
Calcite | Level 5 muduki
Calcite | Level 5

Re: Log4j Vulnerability - Remediation required for SAS client tools?

Posted 02-14-2022 04:04 AM (2350 views)  |   In reply to Kurt_Bremser

is there any order we need to do the log4j remediation? like start with meta, compute and then mid-tier ?

0 Likes

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

Get Started with SAS Information Catalog in SAS Viya

SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.

Watch Get Started with SAS Information Catalog in SAS Viya on YouTube

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 5 replies
  • ‎12-22-2021 06:42 AM
  • 3410 views
  • 7 likes
  • 6 in conversation
Top