70142 - SAS® 9.4M7 (TS1M7) includes end-of-life Log4J version 1 libraries

Problem Note 70142: SAS® 9.4M7 (TS1M7) includes end-of-life Log4J version 1 libraries

SAS 9.4M7 includes end-of-life Log4J version 1 libraries that might be flagged by security scanners. These libraries have been replaced with Reload4J in order to alleviate security concerns and scan findings for those who cannot upgrade to SAS^® 9.4M8 (TS1M8).

Refer to Log4j v1 Vulnerabilities and SAS Security Update for SAS® 9.4M7 (TS1M7) for details and instructions before applying hot fixes.

Click the Hot Fix tab in this note to access the hot fix for this issue.

Additional Notes:

Log4j v1 filenames are preserved in the SASHome and SASConfig directories in order to eliminate the need for code changes in the SAS software. Deployment tools installed to the SASHome directory, such as SAS^® Deployment Manager, use the Reload4j libraries with the preserved Log4j v1 filenames.

Because Log4 v1 filenames in your SASHome and SASConfig directories are preserved, security scanning utilities that evaluate the filenames might incorrectly identify the updated Reload4j libraries as Log4j v1 libraries. You should examine any Log4j v1 jar file that is identified by security scanning utilities to verify that the content of the jar file is Reload4j.

The SAS^® 9.4M7 Deployment Wizard (SDW) and the SAS^® Migration Utility (SMU) use Log4j v1 libraries that are in the SAS Software Depot directory for installations and migrations. The Log4j v1 libraries in that directory are not in use when SAS software is running. SAS® 9.4M8 (TS1M8) uses Log4J v2 libraries.

Operating System and Release Information

Product Family	Product	System	Product Release		SAS Release
Product Family	Product	System	Reported	Fixed*	Reported	Fixed*
SAS System	Base SAS	z/OS	9.4_M7		9.4 TS1M7
		z/OS 64-bit	9.4_M7		9.4 TS1M7
		Microsoft® Windows® for x64	9.4_M7		9.4 TS1M7
		Microsoft Windows 8 Enterprise 32-bit	9.4_M7		9.4 TS1M7
		Microsoft Windows 8 Enterprise x64	9.4_M7		9.4 TS1M7
		Microsoft Windows 8 Pro 32-bit	9.4_M7		9.4 TS1M7
		Microsoft Windows 8 Pro x64	9.4_M7		9.4 TS1M7
		Microsoft Windows 8.1 Enterprise 32-bit	9.4_M7		9.4 TS1M7
		Microsoft Windows 8.1 Enterprise x64	9.4_M7		9.4 TS1M7
		Microsoft Windows 8.1 Pro 32-bit	9.4_M7		9.4 TS1M7
		Microsoft Windows 8.1 Pro x64	9.4_M7		9.4 TS1M7
		Microsoft Windows 10	9.4_M7		9.4 TS1M7
		Microsoft Windows 11	9.4_M7		9.4 TS1M7
		Microsoft Windows Server 2008	9.4_M7		9.4 TS1M7
		Microsoft Windows Server 2008 R2	9.4_M7		9.4 TS1M7
		Microsoft Windows Server 2008 for x64	9.4_M7		9.4 TS1M7
		Microsoft Windows Server 2012 Datacenter	9.4_M7		9.4 TS1M7
		Microsoft Windows Server 2012 R2 Datacenter	9.4_M7		9.4 TS1M7
		Microsoft Windows Server 2012 R2 Std	9.4_M7		9.4 TS1M7
		Microsoft Windows Server 2012 Std	9.4_M7		9.4 TS1M7
		Microsoft Windows Server 2016	9.4_M7		9.4 TS1M7
		Microsoft Windows Server 2019	9.4_M7		9.4 TS1M7
		Microsoft Windows Server 2022	9.4_M7		9.4 TS1M7
		Windows 7 Enterprise 32 bit	9.4_M7		9.4 TS1M7
		Windows 7 Enterprise x64	9.4_M7		9.4 TS1M7
		Windows 7 Home Premium 32 bit	9.4_M7		9.4 TS1M7
		Windows 7 Home Premium x64	9.4_M7		9.4 TS1M7
		Windows 7 Professional 32 bit	9.4_M7		9.4 TS1M7
		Windows 7 Professional x64	9.4_M7		9.4 TS1M7
		Windows 7 Ultimate 32 bit	9.4_M7		9.4 TS1M7
		Windows 7 Ultimate x64	9.4_M7		9.4 TS1M7
		64-bit Enabled AIX	9.4_M7		9.4 TS1M7
		64-bit Enabled Solaris	9.4_M7		9.4 TS1M7
		HP-UX IPF	9.4_M7		9.4 TS1M7
		Linux for x64	9.4_M7		9.4 TS1M7
		Solaris for x64	9.4_M7		9.4 TS1M7

* For software releases that are not yet generally available, the Fixed Release is the software release in which the problem is planned to be fixed.

Type:	Problem Note
Priority:	medium

Date Modified:	2023-07-03 12:37:09
Date Created:	2023-06-07 14:17:08

Support

Problem Note 70142: SAS® 9.4M7 (TS1M7) includes end-of-life Log4J version 1 libraries

Operating System and Release Information