BookmarkSubscribeRSS Feed
DJWanna
Obsidian | Level 7

In a few other posts there were notes about SAS EG and other desktop applications are not affected by the log4j vulnerability. However, when I run the suggested search I do find a log4j file under SAS Deployment Manager. The manual resolution for this file on the server is to zip the file up. Can this file be simply deleted on the desktop to remediate the vulnerability? I do see there is a windows version of loguccino.  Is it necessary to have administrator rights to a workstation to run this tool?

5 REPLIES 5
SASKiwi
PROC Star

I too found log4j files in Deployment Manager. I think it is safe to follow the server instructions to use loguccino to remove the offending software.

ChrisHemedinger
Community Manager
I agree. While SAS Deployment Manager is a client-side tool and not associated with any running service that might be vulnerable to these exploits, I understand the desire to make all log4j jar files show as "clean" in scans. So it should be safe to use the provided tools to remediate.
Learn from the Experts! Check out the huge catalog of free sessions in the Ask the Expert webinar series.
CarlZeigler
Fluorite | Level 6
The sas supplied loguccino scanner is finding log4j vulnerabilities in the M7 SAS Depot. If I use the patch step to fix these files, an install later fails with invalid checksums…. Is there a workaround?
ronf_sas
SAS Employee

Hi Carl.  Please see the "Directories to Target" section of the Instructions for Loguccino.  Specifically the "Caution" statement.

 

https://go.documentation.sas.com/doc/en/log4j/1.0/p1pymcg1f06injn10rho5mkmmhe4.htm

 

 

CarlZeigler
Fluorite | Level 6
Thanks for pointing out that statement. I have to explain why the files should stay to qualify for a waiver, or delete them. This will help.

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

Get Started with SAS Information Catalog in SAS Viya

SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 5 replies
  • 2863 views
  • 2 likes
  • 5 in conversation