BookmarkSubscribeRSS Feed
Obsidian | Level 7

In a few other posts there were notes about SAS EG and other desktop applications are not affected by the log4j vulnerability. However, when I run the suggested search I do find a log4j file under SAS Deployment Manager. The manual resolution for this file on the server is to zip the file up. Can this file be simply deleted on the desktop to remediate the vulnerability? I do see there is a windows version of loguccino.  Is it necessary to have administrator rights to a workstation to run this tool?

Opal | Level 21

I too found log4j files in Deployment Manager. I think it is safe to follow the server instructions to use loguccino to remove the offending software.

Community Manager
I agree. While SAS Deployment Manager is a client-side tool and not associated with any running service that might be vulnerable to these exploits, I understand the desire to make all log4j jar files show as "clean" in scans. So it should be safe to use the provided tools to remediate.
Fluorite | Level 6
The sas supplied loguccino scanner is finding log4j vulnerabilities in the M7 SAS Depot. If I use the patch step to fix these files, an install later fails with invalid checksums…. Is there a workaround?
SAS Employee

Hi Carl.  Please see the "Directories to Target" section of the Instructions for Loguccino.  Specifically the "Caution" statement.



Fluorite | Level 6
Thanks for pointing out that statement. I have to explain why the files should stay to qualify for a waiver, or delete them. This will help.

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

CLI in SAS Viya

Learn how to install the SAS Viya CLI and a few commands you may find useful in this video by SAS’ Darrell Barton.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 5 replies
  • 5 in conversation