Problem Note 68992: SAS® Event Stream Processing contains a Log4J 1.x library with known vulnerabilities
 |  |  |  |  |
Severity: Informational
Description: SAS Event Stream Processing ships a Log4j 1.x library at /opt/sas/viya/home/SASEventStreamProcessingEngine/6.2/lib/log4j-1.2.17.jar. The following CVEs exist for Log4j 1.x:
Potential Impact: As described in the Log4j v1 security bulletin, SAS Event Stream Processing is not impacted by these vulnerabilities. But, the Log4j v1 library might be flagged by security scanners.
Note: Users of SAS Event Stream Processing 6.1 or earlier should contact SAS Technical Support for additional instructions.
Click the Hot Fix tab in this note to access the hot fix for this issue.
Operating System and Release Information
| Product Family | Product | System | Product Release | SAS Release | ||
| Reported | Fixed* | Reported | Fixed* | |||
| SAS System | SAS Event Stream Processing for Edge Computing | Linux for x64 | 6.2 | Viya | ||
| Linux for AArch64 | 6.2 | Viya | ||||
| SAS System | SAS Event Stream Processing Engine | Linux for x64 | 6.2 | |||
| Microsoft® Windows® for x64 | 6.2 | |||||
An update for this issue is available for SAS Event Stream Processing 6.2. For instructions on how to access and apply this software update see the SAS Event Stream Processing 6.2 Deployment Guide links on
https://tshf.sas.com/techsup/download/hotfix/HF2/Viya_ESP_6_2_home.html#68992| Type: | Problem Note |
| Priority: | medium |
| Date Modified: | 2022-11-17 11:32:42 |
| Date Created: | 2022-03-09 14:28:01 |