cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
BookmarkSubscribeRSS Feed
DJWanna
Obsidian | Level 7 DJWanna
Obsidian | Level 7

Log4j Vulnerability for SAS Deployment Manager

Posted 12-30-2021 10:20 AM (2013 views)

In a few other posts there were notes about SAS EG and other desktop applications are not affected by the log4j vulnerability. However, when I run the suggested search I do find a log4j file under SAS Deployment Manager. The manual resolution for this file on the server is to zip the file up. Can this file be simply deleted on the desktop to remediate the vulnerability? I do see there is a windows version of loguccino.  Is it necessary to have administrator rights to a workstation to run this tool?

0 Likes
Reply
5 REPLIES 5
SASKiwi
Opal | Level 21 SASKiwi
Opal | Level 21

Re: Log4j Vulnerability for SAS Deployment Manager

Posted 01-01-2022 03:35 AM (1912 views)  |   In reply to DJWanna

I too found log4j files in Deployment Manager. I think it is safe to follow the server instructions to use loguccino to remove the offending software.

Reply
ChrisHemedinger
Community Manager ChrisHemedinger
Community Manager

Re: Log4j Vulnerability for SAS Deployment Manager

Posted 01-01-2022 03:14 PM (1860 views)  |   In reply to SASKiwi
I agree. While SAS Deployment Manager is a client-side tool and not associated with any running service that might be vulnerable to these exploits, I understand the desire to make all log4j jar files show as "clean" in scans. So it should be safe to use the provided tools to remediate.
0 Likes
Reply
CarlZeigler
Fluorite | Level 6 CarlZeigler
Fluorite | Level 6

Re: Log4j Vulnerability for SAS Deployment Manager

Posted 04-14-2022 08:42 AM (1150 views)  |   In reply to ChrisHemedinger
The sas supplied loguccino scanner is finding log4j vulnerabilities in the M7 SAS Depot. If I use the patch step to fix these files, an install later fails with invalid checksums…. Is there a workaround?
0 Likes
Reply
ronf_sas
SAS Employee ronf_sas
SAS Employee

Re: Log4j Vulnerability for SAS Deployment Manager

Posted 04-14-2022 08:59 AM (1146 views)  |   In reply to CarlZeigler

Hi Carl.  Please see the "Directories to Target" section of the Instructions for Loguccino.  Specifically the "Caution" statement.

 

https://go.documentation.sas.com/doc/en/log4j/1.0/p1pymcg1f06injn10rho5mkmmhe4.htm

 

 

Reply
CarlZeigler
Fluorite | Level 6 CarlZeigler
Fluorite | Level 6

Re: Log4j Vulnerability for SAS Deployment Manager

Posted 04-18-2022 03:36 PM (1084 views)  |   In reply to ronf_sas
Thanks for pointing out that statement. I have to explain why the files should stay to qualify for a waiver, or delete them. This will help.
0 Likes
Reply

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

CLI in SAS Viya

Learn how to install the SAS Viya CLI and a few commands you may find useful in this video by SAS’ Darrell Barton.

Watch CLI in SAS Viya on YouTube

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 5 replies
  • ‎12-30-2021 10:20 AM
  • 2014 views
  • 2 likes
  • 5 in conversation