Problem Note 68756: SAS® 9.4 products contain an Apache Log4J version 2 component with known vulnerabilities
 |  |  |  |  |
Severity: Critical
Description: SAS 9.4 contains an Apache Log4J version 2 component that is affected by the following known vulnerabilities:
Potential Impact: Refer to the CVE records listed in the previous section for details. Impacts vary and include the potential for remote code execution by an attacker.
Important:
- Unless otherwise noted below, the hot fixes provided here upgrade the affected Log4J libraries to version 2.17.1.
- The information in this SAS Note helps you implement the guidance that is provided in the SAS Security Bulletin, SAS Statement Regarding Remote Code Execution Vulnerability (CVE-2021-44228).
- Before you apply the patch that is provided by this SAS Note, review the guidance in the SAS Security Bulletin and also complete all instructions for the applicable platform in Instructions for the SAS® Response to Log4j Vulnerabilities.
- At this time, the hot fixes supplied in this note provide only partial (product-specific) mitigation. For anticipated timing of further updates, refer to SAS Statement Regarding Remote Code Execution Vulnerability (CVE-2021-44228).
- If necessary, this SAS Note will be updated as additional information becomes available.
Click the Hot Fix tab in this note to access the hot fix for this issue.
Operating System and Release Information
| Product Family | Product | System | Product Release | SAS Release | ||
| Reported | Fixed* | Reported | Fixed* | |||
| SAS System | Base SAS | 64-bit Enabled Solaris | 9.4_M6 | 9.4 TS1M6 | ||
| 64-bit Enabled AIX | 9.4_M6 | 9.4 TS1M6 | ||||
| Windows 7 Ultimate x64 | 9.4_M6 | 9.4 TS1M6 | ||||
| Windows 7 Ultimate 32 bit | 9.4_M6 | 9.4 TS1M6 | ||||
| Windows 7 Professional x64 | 9.4_M6 | 9.4 TS1M6 | ||||
| Windows 7 Professional 32 bit | 9.4_M6 | 9.4 TS1M6 | ||||
| Windows 7 Home Premium x64 | 9.4_M6 | 9.4 TS1M6 | ||||
| Windows 7 Home Premium 32 bit | 9.4_M6 | 9.4 TS1M6 | ||||
| Windows 7 Enterprise x64 | 9.4_M6 | 9.4 TS1M6 | ||||
| Windows 7 Enterprise 32 bit | 9.4_M6 | 9.4 TS1M6 | ||||
| Microsoft Windows Server 2019 | 9.4_M6 | 9.4 TS1M6 | ||||
| Microsoft Windows Server 2016 | 9.4_M6 | 9.4 TS1M6 | ||||
| Microsoft Windows Server 2012 Std | 9.4_M6 | 9.4 TS1M6 | ||||
| Microsoft Windows Server 2012 R2 Std | 9.4_M6 | 9.4 TS1M6 | ||||
| Microsoft Windows Server 2012 R2 Datacenter | 9.4_M6 | 9.4 TS1M6 | ||||
| Microsoft Windows Server 2012 Datacenter | 9.4_M6 | 9.4 TS1M6 | ||||
| Microsoft Windows Server 2008 for x64 | 9.4_M6 | 9.4 TS1M6 | ||||
| Microsoft Windows Server 2008 R2 | 9.4_M6 | 9.4 TS1M6 | ||||
| Microsoft Windows Server 2008 | 9.4_M6 | 9.4 TS1M6 | ||||
| Microsoft Windows 10 | 9.4_M6 | 9.4 TS1M6 | ||||
| Microsoft Windows 8.1 Pro x64 | 9.4_M6 | 9.4 TS1M6 | ||||
| Microsoft Windows 8.1 Pro 32-bit | 9.4_M6 | 9.4 TS1M6 | ||||
| Microsoft Windows 8.1 Enterprise x64 | 9.4_M6 | 9.4 TS1M6 | ||||
| Microsoft Windows 8.1 Enterprise 32-bit | 9.4_M6 | 9.4 TS1M6 | ||||
| Microsoft Windows 8 Pro x64 | 9.4_M6 | 9.4 TS1M6 | ||||
| Microsoft Windows 8 Pro 32-bit | 9.4_M6 | 9.4 TS1M6 | ||||
| Microsoft Windows 8 Enterprise x64 | 9.4_M6 | 9.4 TS1M6 | ||||
| Microsoft Windows 8 Enterprise 32-bit | 9.4_M6 | 9.4 TS1M6 | ||||
| Microsoft® Windows® for x64 | 9.4_M6 | 9.4 TS1M6 | ||||
| z/OS 64-bit | 9.4_M6 | 9.4 TS1M6 | ||||
| z/OS | 9.4_M6 | 9.4 TS1M6 | ||||
| HP-UX IPF | 9.4_M6 | 9.4 TS1M6 | ||||
| Linux for x64 | 9.4_M6 | 9.4 TS1M6 | ||||
| Solaris for x64 | 9.4_M6 | 9.4 TS1M6 | ||||
A fix for this issue for Platform Web Services for SAS 1.7 is available at:
https://tshf.sas.com/techsup/download/hotfix/HF2/K4X.html#68756A fix for this issue for SAS Environment Manager 2.5_M4 is available at:
https://tshf.sas.com/techsup/download/hotfix/HF2/J9V.html#68756A fix for this issue for SAS Environment Manager Agent 2.5_M4 is available at:
https://tshf.sas.com/techsup/download/hotfix/HF2/J9U.html#68756A fix for this issue for SAS Metadata Bridges 4.41 is available at:
https://tshf.sas.com/techsup/download/hotfix/HF2/L3F.html#68756A fix for this issue for Platform Web Services for SAS 1.61 is available at:
https://tshf.sas.com/techsup/download/hotfix/HF2/G4I.html#68756A fix for this issue for SAS Grid Manager Module for SAS Environment Manager 1.61 is available at:
https://tshf.sas.com/techsup/download/hotfix/HF2/K9W.html#68756A fix for this issue for SAS Visual Analytics 7.5 is available at:
https://tshf.sas.com/techsup/download/hotfix/HF2/F9L.html#68756A fix for this issue for Platform Web Services for SAS 1.6 is available at:
https://tshf.sas.com/techsup/download/hotfix/HF2/G4H.html#68756A fix for this issue for SAS Environment Manager 2.5_M3 is available at:
https://tshf.sas.com/techsup/download/hotfix/HF2/E8M.html#68756A fix for this issue for SAS Environment Manager Agent 2.5_M3 is available at:
https://tshf.sas.com/techsup/download/hotfix/HF2/F9E.html#68756A fix for this issue for SAS Grid Manager Module for SAS Environment Manager 1.6 is available at:
https://tshf.sas.com/techsup/download/hotfix/HF2/F1G.html#68756A fix for this issue for SAS Risk Governance Framework 7.4 is available at:
https://tshf.sas.com/techsup/download/hotfix/HF2/D4Z.html#68756| Type: | Problem Note |
| Priority: | high |
| Date Modified: | 2022-01-14 12:43:33 |
| Date Created: | 2022-01-10 14:20:32 |