- Mark as New
- Bookmark
- Subscribe
- Mute
- RSS Feed
- Permalink
- Report Inappropriate Content
Official security bulletin: SAS Statement Regarding Remote Code Execution Vulnerability (CVE-2021-44228)
As SAS Technical Support and R&D experts have news and guidance to share about this vulnerability and its impact on SAS software and services, the teams will update the official security bulletin. To be notified when these updates occur, subscribe to this community topic by clicking the Subscribe button at the top of the message. Note that in order to subscribe you must be signed into the community with your SAS profile.
Alternatively you can follow the update notices (without signing in) via RSS Feed. Select Options -> RSS Feed and add to your preferred RSS feed reader.
- Mark as New
- Bookmark
- Subscribe
- Mute
- RSS Feed
- Permalink
- Report Inappropriate Content
Most recent updates:
- 12-14-2021 (8:00 PM EST) – Minor corrections within the Security Bulletin page, along with a "next update expected" announcement
- 12-14-2021 (3:00 PM EST) – Updates within the Security Bulletin page, including information on related vulnerabilities, links to instructions for SAS® Viya® 3.4 and SAS® Viya® 3.5, and evaluations and recommendations for SAS platforms, cloud solutions, and products
Next update expected: 12-15-2021 (by 1:00 PM EST).
- Mark as New
- Bookmark
- Subscribe
- Mute
- RSS Feed
- Permalink
- Report Inappropriate Content
Most recent updates:
- 12-15-2021 (1:00 PM EST) - Additional information about Memex® products, where to obtain updated signatures, and how to subscribe to bulletin updates
Next update expected: 12-15-2021 (by 9:00 PM EST)
- Mark as New
- Bookmark
- Subscribe
- Mute
- RSS Feed
- Permalink
- Report Inappropriate Content
Most recent updates:
- 12-15-2021 (11:00 PM EST) - Vulnerability scan guidance; additional guidance for SAS® 9.4; links to instructions for SAS® 9.4 and SAS® Viya® 2020.1 and later; update for IDeaS® products; update on remediation status for SAS® Customer Intelligence 360; evaluations and recommendations for SAS® Fraud Management and SAS® Business Orchestration Services
Next update expected: 12-16-2021 (approximately 1:00 PM EST)
- Mark as New
- Bookmark
- Subscribe
- Mute
- RSS Feed
- Permalink
- Report Inappropriate Content
Most recent updates:
- 12-16-2021 (7:00 AM EST) - Update on Memex® products
Next update expected: 12-16-2021 (approximately 1:00 PM EST)
- Mark as New
- Bookmark
- Subscribe
- Mute
- RSS Feed
- Permalink
- Report Inappropriate Content
Most recent updates:
- 12-16-2021 (6:00 PM EST) - Assessment of unauthenticated remote code execution (RCE) exploits (not possible), update on Memex® products and SAS® Customer Intelligence 360, evaluations and recommendations for SAS® Viya® 2021.x deployments with Open Distro for Elasticsearch, SAS® Adaptive Learning and Intelligent Agent System, SAS® Anti-Money Laundering, SAS® Customer Due Diligence, SAS® Identity 360, SAS® Real-Time Screening, and SAS® Visual Investigator
Next update expected: 12-17-2021 (approximately 6:00 PM EST)
- Mark as New
- Bookmark
- Subscribe
- Mute
- RSS Feed
- Permalink
- Report Inappropriate Content
Most recent updates:
- 12-17-2021 (10:00 PM EST) - Mitigation and remediation steps for SAS software, including upcoming repository scan-fix tool; instructions for SAS® Viya® 3.3; additional guidance for SAS® Cloud Solutions; solution guidance that aligns with dependent SAS products; updated information for SAS® Anti-Money Laundering, SAS® Customer Due Diligence, and SAS® Fraud Management; evaluations and recommendations for SAS® Analytics for IoT, SAS® Asset Performance Analytics, SAS® Energy Forecasting, SAS® Event Stream Processing, SAS® Field Quality Analytics, SAS® Production Quality Analytics, SASPy Python Interface to MVA SAS, SAS® Quality Analytic Suite, and SAS® Risk Management Solutions on both the 9.4 and SAS Viya platforms
Next update expected: 12-20-2021 (approximately 6:00 PM EST)
- Mark as New
- Bookmark
- Subscribe
- Mute
- RSS Feed
- Permalink
- Report Inappropriate Content
Most recent updates:
- 12-20-2021 (6:00PM) – Reformatting of bulletin page, addition of CVE-2021-45105 to the related vulnerabilities, revised versioning information for the upcoming scan-fix tool, addition of z/OS within the platform-level instructions for SAS® 9.4, detailed evaluations and recommendations for SAS® Adaptive Learning and Intelligent Agent System (version 10.5.1), SAS® Intelligence and Investigation Management, SAS® Life Science Analytics Framework, and SAS® Visual Investigator (versions 10.5 and 10.5.1)
Next update expected: 12-21-2021 (approximately 6:00 PM EST)
- Mark as New
- Bookmark
- Subscribe
- Mute
- RSS Feed
- Permalink
- Report Inappropriate Content
Most recent updates:
- 12-21-2021 (6:00 PM EST) - Clarification of guidance for unauthenticated versus authenticated remote code execution; updated evaluations and recommendations for SAS® Platforms and SAS® Cloud Solutions; in the SAS® 9.4 instructions, added SAS Software depot to the list of directories to search; evaluation of SAS® 9.3 and SAS® 9.2; detailed evaluations and recommendations for SAS® Cost and Profitability Management, SAS® Demand Planning, SAS® Demand Signal Repository, SAS® Financial Management, SAS® Financial Planning and Assortment Planning, SAS® Forecast Analyst Workbench, SAS® Intelligence and Investigation Management (versions 1.2-1.4), SAS® Intelligent Planning, SAS® Inventory Optimization, SAS® Inventory Optimization Workbench, SAS® IT Resource Management, SAS® IT Resource Management for SAP, SAS® Markdown Optimization, SAS® Merchandise Allocation, SAS® Merchandise Planning, SAS® Pack Optimization, SAS® Profitability Management, SAS® Promotion Optimization, SAS® Regular Price Optimization, SAS® Size Optimization, SAS® Size Profiling, and SAS® Visual Investigator (version 10.4)
Next update expected: 12-22-2021 (approximately 6:00 PM EST)
- Mark as New
- Bookmark
- Subscribe
- Mute
- RSS Feed
- Permalink
- Report Inappropriate Content
Most recent updates:
- 12-22-2021 (9:00 PM EST) - Automated approach to remediation on SAS® 9.4 (Loguccino), removal of JndiLookup class on server vs client machines, detailed evaluations and recommendations for SAS® API for ThreatMetrix Offerings, SAS® Campaign Management, SAS® Clinical Trial Data Transparency, SAS® Continuous Monitoring Offerings, SAS® Customer Intelligence 360 Discover, SAS® Customer Intelligence 360 Engage: Digital, SAS® Customer Intelligence 360 Engage: Direct, SAS® Customer Intelligence 360 Engage: Email, SAS® Customer Intelligence 360 Engage: Optimize, SAS® Customer Intelligence 360 Match, SAS® Customer Intelligence 360 Plan, SAS® Detection and Investigation Offerings, SAS® Financial Crimes Analytics (on SAS® Viya®), SAS® Life Science Analytics Framework 5.4, SAS® Life Science Analytics Framework APIs and Extensions, SAS® Marketing Automation, SAS® Marketing Optimization, SAS® Orchestration Adapters, and SAS® Real-Time Decision Manager
Next update expected: 12-23-2021 (approximately 6:00 PM EST)
- Mark as New
- Bookmark
- Subscribe
- Mute
- RSS Feed
- Permalink
- Report Inappropriate Content
Today's bulletin update for the Remote Code Execution Vulnerability (CVE-2021-44228) is delayed until tomorrow morning, due to substantial changes that are being finalized. Instead, there will be a significant update to the guidance in the bulletin tomorrow, 12-24-2021 at 12:00 PM EST.
- Mark as New
- Bookmark
- Subscribe
- Mute
- RSS Feed
- Permalink
- Report Inappropriate Content
Most recent updates:
- 12-24-2021 (12:00 PM EST) - Automated approach to remediation on SAS® Viya® 3.x (loguccino) with corresponding adjustments in guidance and instructions; plans for updating to Log4j 2.17; detailed evaluations and recommendations for SAS® Analytics Accelerator for Teradata, SAS® Data Management Studio and Server, SAS® Data Quality Accelerators, SAS® Grid Manager, SAS® In-Database Technologies, SAS® Scoring Accelerators, SAS® Visual Analytics, and SAS® Visual Analytics Apps
- Mark as New
- Bookmark
- Subscribe
- Mute
- RSS Feed
- Permalink
- Report Inappropriate Content
Most recent update:
- 12-28-2021 (5:30 PM EST) - Addition of related vulnerability, CVE-2021-44832
- Mark as New
- Bookmark
- Subscribe
- Mute
- RSS Feed
- Permalink
- Report Inappropriate Content
Most recent update:
- 1-3-2022 (5:30 PM EST) – Updated guidance for SAS® 9.4; detailed evaluations and recommendations for SAS® Add-in for Microsoft Office and SAS® Enterprise Guide®
- Mark as New
- Bookmark
- Subscribe
- Mute
- RSS Feed
- Permalink
- Report Inappropriate Content
Most recent update:
- 1-4-2022 (6:00 PM EST) - Mapping of mitigation and remediation measures to specific Log4j CVEs; plans for delivery of Log4j versions 2.17.1+; detailed evaluation and recommendation for SAS® 9 Content Assessment