Problem Note 68768: A vulnerability in the Apache Log4j logging library affects Platform LSF
 |  |  |  |  |
Severity: Critical
Description: The Apache Log4j Java logging library that is included with Platform LSF is affected by the vulnerabilities that are described in the following CVE records:
Note: Platform LSF versions 10.1.0.6 and later are affected by Apache Log4j vulnerabilities.
Platform LSF 10.1.0.12 includes the vulnerability fixes. If the Apache Log4j vulnerabilities still appear in scans for Platform LSF 10.1.0.12 and the Platform LSF resource connector is not enabled, then remove the following files:
/LSF_TOP/10.1/resource_connector/*/lib/log4j-core-2.14.1.jar
/LSF_TOP/10.1/resource_connector/*/lib/log4j-api-2.14.1.jar
Note: Platform LSF is vulnerable only if a resource connector is enabled (disabled by default)
Important: Before you apply the Platform LSF patch that is associated with this note, perform the following step:
- Review the guidance that is provided in the following SAS Security Bulletin: SAS Statement Regarding Remote Code Execution Vulnerability (CVE-2021-44228).
Click the Downloads tab in this note to access the patch for this issue.
Operating System and Release Information
| Product Family | Product | System | SAS Release | |
| Reported | Fixed* | |||
| SAS System | Platform LSF | 64-bit Enabled AIX | 9.4 TS1M7 | |
| 64-bit Enabled Solaris | 9.4 TS1M7 | |||
| HP-UX IPF | 9.4 TS1M7 | |||
| Linux for x64 | 9.4 TS1M7 | |||
| Solaris for x64 | 9.4 TS1M7 | |||
Note: To remove the vulnerability for Apache Log4j in Platform LSF 10.1.0.6, install the E3K002 patch.
Note: To remove the vulnerability for Apache Log4j in Platform LSF 10.1.0.9, install the K3L003 patch.
| Type: | Problem Note |
| Priority: | alert |
| Date Modified: | 2023-08-09 09:47:53 |
| Date Created: | 2022-01-12 09:54:14 |