BookmarkSubscribeRSS Feed
🔒 This topic is locked. We are no longer accepting replies to this topic. Need further help? Please sign in and ask a new question.
SAS_TSNEWS
Moderator

Official security bulletin: SAS Statement Regarding Remote Code Execution Vulnerability (CVE-2021-44228)

 

As SAS Technical Support and R&D experts have news and guidance to share about this vulnerability and its impact on SAS software and services, the teams will update the official security bulletin. To be notified when these updates occur, subscribe to this community topic by clicking the Subscribe button at the top of the message. Note that in order to subscribe you must be signed into the community with your SAS profile.

 

Alternatively you can follow the update notices (without signing in) via RSS Feed. Select Options -> RSS Feed and add to your preferred RSS feed reader.

 

36 REPLIES 36
SAS_TSNEWS
Moderator

Most recent updates:

  • 12-14-2021 (8:00 PM EST) – Minor corrections within the Security Bulletin page, along with a "next update expected" announcement
  • 12-14-2021 (3:00 PM EST) – Updates within the Security Bulletin page, including information on related vulnerabilities, links to instructions for SAS® Viya® 3.4 and SAS® Viya® 3.5, and evaluations and recommendations for SAS platforms, cloud solutions, and products

Next update expected: 12-15-2021 (by 1:00 PM EST).

 

Read the full updated bulletin.

SAS_TS_Rayna
SAS Employee

Most recent updates:

  • 12-15-2021 (1:00 PM EST) - Additional information about Memex® products, where to obtain updated signatures, and how to subscribe to bulletin updates 

Next update expected: 12-15-2021 (by 9:00 PM EST)

Read the full updated bulletin.

SAS_TS_Rayna
SAS Employee

Most recent updates:

  • 12-15-2021 (11:00 PM EST) - Vulnerability scan guidance; additional guidance for SAS® 9.4; links to instructions for SAS® 9.4 and SAS® Viya® 2020.1 and later; update for IDeaS® products; update on remediation status for SAS® Customer Intelligence 360; evaluations and recommendations for SAS® Fraud Management and SAS® Business Orchestration Services

Next update expected: 12-16-2021 (approximately 1:00 PM EST)

Read the full updated bulletin.

SAS_TS_Rayna
SAS Employee

Most recent updates:

  • 12-16-2021 (7:00 AM EST) - Update on Memex® products

Next update expected: 12-16-2021 (approximately 1:00 PM EST)

 

Read the full updated bulletin.

SAS_TS_Rayna
SAS Employee

Most recent updates:

  • 12-16-2021 (6:00 PM EST) - Assessment of unauthenticated remote code execution (RCE) exploits (not possible), update on Memex® products and SAS® Customer Intelligence 360, evaluations and recommendations for SAS® Viya® 2021.x deployments with Open Distro for Elasticsearch, SAS® Adaptive Learning and Intelligent Agent System, SAS® Anti-Money Laundering, SAS® Customer Due Diligence, SAS® Identity 360, SAS® Real-Time Screening, and SAS® Visual Investigator  

Next update expected: 12-17-2021 (approximately 6:00 PM EST)

Read the full updated bulletin.

SAS_TS_ChrisD
SAS Employee

Most recent updates:

 

  • 12-17-2021 (10:00 PM EST) - Mitigation and remediation steps for SAS software, including upcoming repository scan-fix tool; instructions for SAS® Viya® 3.3; additional guidance for SAS® Cloud Solutions; solution guidance that aligns with dependent SAS products; updated information for SAS® Anti-Money Laundering, SAS® Customer Due Diligence, and SAS® Fraud Management; evaluations and recommendations for SAS® Analytics for IoT, SAS® Asset Performance Analytics, SAS® Energy Forecasting, SAS® Event Stream Processing, SAS® Field Quality Analytics, SAS® Production Quality Analytics, SASPy Python Interface to MVA SAS, SAS® Quality Analytic Suite, and SAS® Risk Management Solutions on both the 9.4 and SAS Viya platforms

 

Next update expected: 12-20-2021 (approximately 6:00 PM EST)

 

Read the full updated bulletin.

SAS_TS_Rayna
SAS Employee

Most recent updates:

  • 12-20-2021 (6:00PM) – Reformatting of bulletin page, addition of CVE-2021-45105 to the related vulnerabilities, revised versioning information for the upcoming scan-fix tool, addition of z/OS within the platform-level instructions for SAS® 9.4, detailed evaluations and recommendations for SAS® Adaptive Learning and Intelligent Agent System (version 10.5.1), SAS® Intelligence and Investigation Management, SAS® Life Science Analytics Framework, and SAS® Visual Investigator (versions 10.5 and 10.5.1)

Next update expected: 12-21-2021 (approximately 6:00 PM EST)

 

Read the full updated bulletin.

SAS_TS_Rayna
SAS Employee

Most recent updates:

  • 12-21-2021 (6:00 PM EST) - Clarification of guidance for unauthenticated versus authenticated remote code execution; updated evaluations and recommendations for SAS® Platforms and SAS® Cloud Solutions; in the SAS® 9.4 instructions, added SAS Software depot to the list of directories to search; evaluation of SAS® 9.3 and SAS® 9.2; detailed evaluations and recommendations for SAS® Cost and Profitability Management, SAS® Demand Planning, SAS® Demand Signal Repository, SAS® Financial Management, SAS® Financial Planning and Assortment Planning, SAS® Forecast Analyst Workbench, SAS® Intelligence and Investigation Management (versions 1.2-1.4), SAS® Intelligent Planning, SAS® Inventory Optimization, SAS® Inventory Optimization Workbench, SAS® IT Resource Management, SAS® IT Resource Management for SAP, SAS® Markdown Optimization, SAS® Merchandise Allocation, SAS® Merchandise Planning, SAS® Pack Optimization, SAS® Profitability Management, SAS® Promotion Optimization, SAS® Regular Price Optimization, SAS® Size Optimization, SAS® Size Profiling, and SAS® Visual Investigator (version 10.4)

Next update expected: 12-22-2021 (approximately 6:00 PM EST)

 

Read the full updated bulletin.

SAS_TS_Rayna
SAS Employee

Most recent updates:

  • 12-22-2021 (9:00 PM EST) - Automated approach to remediation on SAS® 9.4 (Loguccino), removal of JndiLookup class on server vs client machines, detailed evaluations and recommendations for SAS® API for ThreatMetrix Offerings, SAS® Campaign Management, SAS® Clinical Trial Data Transparency, SAS® Continuous Monitoring Offerings, SAS® Customer Intelligence 360 Discover, SAS® Customer Intelligence 360 Engage: Digital, SAS® Customer Intelligence 360 Engage: Direct, SAS® Customer Intelligence 360 Engage: Email, SAS® Customer Intelligence 360 Engage: Optimize, SAS® Customer Intelligence 360 Match, SAS® Customer Intelligence 360 Plan, SAS® Detection and Investigation Offerings, SAS® Financial Crimes Analytics (on SAS® Viya®), SAS® Life Science Analytics Framework 5.4, SAS® Life Science Analytics Framework APIs and Extensions, SAS® Marketing Automation, SAS® Marketing Optimization, SAS® Orchestration Adapters, and SAS® Real-Time Decision Manager 

Next update expected: 12-23-2021 (approximately 6:00 PM EST)

 

Read the full updated bulletin.

SAS_TS_Rayna
SAS Employee

Today's bulletin update for the Remote Code Execution Vulnerability (CVE-2021-44228) is delayed until tomorrow morning, due to substantial changes that are being finalized. Instead, there will be a significant update to the guidance in the bulletin tomorrow, 12-24-2021 at 12:00 PM EST.

SAS_TS_Rayna
SAS Employee

Most recent updates:

  • 12-24-2021 (12:00 PM EST) - Automated approach to remediation on SAS® Viya® 3.(loguccino) with corresponding adjustments in guidance and instructions; plans for updating to Log4j 2.17; detailed evaluations and recommendations for SAS® Analytics Accelerator for Teradata, SAS® Data Management Studio and Server, SAS® Data Quality Accelerators, SAS® Grid Manager, SAS® In-Database Technologies, SAS® Scoring Accelerators, SAS® Visual Analytics, and SAS® Visual Analytics Apps

 

Read the full updated bulletin.

SAS_TS_Rayna
SAS Employee

Most recent update:

  • 12-28-2021 (5:30 PM EST) - Addition of related vulnerability, CVE-2021-44832

Read the full updated bulletin.

SAS_TS_ChrisD
SAS Employee

Most recent update:

  • 1-3-2022 (5:30 PM EST) – Updated guidance for SAS® 9.4; detailed evaluations and recommendations for SAS® Add-in for Microsoft Office and SAS® Enterprise Guide® 
SAS_TS_Rayna
SAS Employee

Most recent update:

  • 1-4-2022 (6:00 PM EST) - Mapping of mitigation and remediation measures to specific Log4j CVEs; plans for delivery of Log4j versions 2.17.1+; detailed evaluation and recommendation for SAS® 9 Content Assessment

Read the full updated bulletin.

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

Get Started with SAS Information Catalog in SAS Viya

SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 36 replies
  • 37107 views
  • 19 likes
  • 3 in conversation