Re: Log4j Vulnerability for SAS Deployment Manager

DJWanna · Posted 12-30-2021 10:20 AM

In a few other posts there were notes about SAS EG and other desktop applications are not affected by the log4j vulnerability. However, when I run the suggested search I do find a log4j file under SAS Deployment Manager. The manual resolution for this file on the server is to zip the file up. Can this file be simply deleted on the desktop to remediate the vulnerability? I do see there is a windows version of loguccino. Is it necessary to have administrator rights to a workstation to run this tool?

SASKiwi · Posted 01-01-2022 03:35 AM

I too found log4j files in Deployment Manager. I think it is safe to follow the server instructions to use loguccino to remove the offending software.

ChrisHemedinger · Posted 01-01-2022 03:14 PM

I agree. While SAS Deployment Manager is a client-side tool and not associated with any running service that might be vulnerable to these exploits, I understand the desire to make all log4j jar files show as "clean" in scans. So it should be safe to use the provided tools to remediate.

Learn from the Experts! Check out the huge catalog of free sessions in the Ask the Expert webinar series.

CarlZeigler · Posted 04-14-2022 08:42 AM

The sas supplied loguccino scanner is finding log4j vulnerabilities in the M7 SAS Depot. If I use the patch step to fix these files, an install later fails with invalid checksums…. Is there a workaround?

ronf_sas · Posted 04-14-2022 08:59 AM

Hi Carl. Please see the "Directories to Target" section of the Instructions for Loguccino. Specifically the "Caution" statement.

https://go.documentation.sas.com/doc/en/log4j/1.0/p1pymcg1f06injn10rho5mkmmhe4.htm

CarlZeigler · Posted 04-18-2022 03:36 PM

Thanks for pointing out that statement. I have to explain why the files should stay to qualify for a waiver, or delete them. This will help.