Problem Note 70142: SAS® 9.4M7 (TS1M7) includes end-of-life Log4J version 1 libraries
 |  |  |  |  |
SAS 9.4M7 includes end-of-life Log4J version 1 libraries that might be flagged by security scanners. These libraries have been replaced with Reload4J in order to alleviate security concerns and scan findings for those who cannot upgrade to SAS® 9.4M8 (TS1M8).
Refer to Log4j v1 Vulnerabilities and SAS Security Update for SAS® 9.4M7 (TS1M7) for details and instructions before applying hot fixes.
Click the Hot Fix tab in this note to access the hot fix for this issue.
Additional Notes:
Log4j v1 filenames are preserved in the SASHome and SASConfig directories in order to eliminate the need for code changes in the SAS software. Deployment tools installed to the SASHome directory, such as SAS® Deployment Manager, use the Reload4j libraries with the preserved Log4j v1 filenames.
Because Log4 v1 filenames in your SASHome and SASConfig directories are preserved, security scanning utilities that evaluate the filenames might incorrectly identify the updated Reload4j libraries as Log4j v1 libraries. You should examine any Log4j v1 jar file that is identified by security scanning utilities to verify that the content of the jar file is Reload4j.
The SAS® 9.4M7 Deployment Wizard (SDW) and the SAS® Migration Utility (SMU) use Log4j v1 libraries that are in the SAS Software Depot directory for installations and migrations. The Log4j v1 libraries in that directory are not in use when SAS software is running. SAS® 9.4M8 (TS1M8) uses Log4J v2 libraries.
Operating System and Release Information
| Product Family | Product | System | Product Release | SAS Release | ||
| Reported | Fixed* | Reported | Fixed* | |||
| SAS System | Base SAS | z/OS | 9.4_M7 | 9.4 TS1M7 | ||
| z/OS 64-bit | 9.4_M7 | 9.4 TS1M7 | ||||
| Microsoft® Windows® for x64 | 9.4_M7 | 9.4 TS1M7 | ||||
| Microsoft Windows 8 Enterprise 32-bit | 9.4_M7 | 9.4 TS1M7 | ||||
| Microsoft Windows 8 Enterprise x64 | 9.4_M7 | 9.4 TS1M7 | ||||
| Microsoft Windows 8 Pro 32-bit | 9.4_M7 | 9.4 TS1M7 | ||||
| Microsoft Windows 8 Pro x64 | 9.4_M7 | 9.4 TS1M7 | ||||
| Microsoft Windows 8.1 Enterprise 32-bit | 9.4_M7 | 9.4 TS1M7 | ||||
| Microsoft Windows 8.1 Enterprise x64 | 9.4_M7 | 9.4 TS1M7 | ||||
| Microsoft Windows 8.1 Pro 32-bit | 9.4_M7 | 9.4 TS1M7 | ||||
| Microsoft Windows 8.1 Pro x64 | 9.4_M7 | 9.4 TS1M7 | ||||
| Microsoft Windows 10 | 9.4_M7 | 9.4 TS1M7 | ||||
| Microsoft Windows 11 | 9.4_M7 | 9.4 TS1M7 | ||||
| Microsoft Windows Server 2008 | 9.4_M7 | 9.4 TS1M7 | ||||
| Microsoft Windows Server 2008 R2 | 9.4_M7 | 9.4 TS1M7 | ||||
| Microsoft Windows Server 2008 for x64 | 9.4_M7 | 9.4 TS1M7 | ||||
| Microsoft Windows Server 2012 Datacenter | 9.4_M7 | 9.4 TS1M7 | ||||
| Microsoft Windows Server 2012 R2 Datacenter | 9.4_M7 | 9.4 TS1M7 | ||||
| Microsoft Windows Server 2012 R2 Std | 9.4_M7 | 9.4 TS1M7 | ||||
| Microsoft Windows Server 2012 Std | 9.4_M7 | 9.4 TS1M7 | ||||
| Microsoft Windows Server 2016 | 9.4_M7 | 9.4 TS1M7 | ||||
| Microsoft Windows Server 2019 | 9.4_M7 | 9.4 TS1M7 | ||||
| Microsoft Windows Server 2022 | 9.4_M7 | 9.4 TS1M7 | ||||
| Windows 7 Enterprise 32 bit | 9.4_M7 | 9.4 TS1M7 | ||||
| Windows 7 Enterprise x64 | 9.4_M7 | 9.4 TS1M7 | ||||
| Windows 7 Home Premium 32 bit | 9.4_M7 | 9.4 TS1M7 | ||||
| Windows 7 Home Premium x64 | 9.4_M7 | 9.4 TS1M7 | ||||
| Windows 7 Professional 32 bit | 9.4_M7 | 9.4 TS1M7 | ||||
| Windows 7 Professional x64 | 9.4_M7 | 9.4 TS1M7 | ||||
| Windows 7 Ultimate 32 bit | 9.4_M7 | 9.4 TS1M7 | ||||
| Windows 7 Ultimate x64 | 9.4_M7 | 9.4 TS1M7 | ||||
| 64-bit Enabled AIX | 9.4_M7 | 9.4 TS1M7 | ||||
| 64-bit Enabled Solaris | 9.4_M7 | 9.4 TS1M7 | ||||
| HP-UX IPF | 9.4_M7 | 9.4 TS1M7 | ||||
| Linux for x64 | 9.4_M7 | 9.4 TS1M7 | ||||
| Solaris for x64 | 9.4_M7 | 9.4 TS1M7 | ||||
A fix for this issue for SAS Deployment Agent 9.49630 is available at:
https://tshf.sas.com/techsup/download/hotfix/HF2/L1B.html#70142A fix for this issue for SAS Deployment Agent 9.49620 is available at:
https://tshf.sas.com/techsup/download/hotfix/HF2/J2U.html#70142A fix for this issue for SAS Environment Manager Agent 2.5_M4 is available at:
https://tshf.sas.com/techsup/download/hotfix/HF2/J9U.html#70142A fix for this issue for SAS Studio 3.81 is available at:
https://tshf.sas.com/techsup/download/hotfix/HF2/J7H.html#70142A fix for this issue for SAS Middle Tier 9.4_M7 is available at:
https://tshf.sas.com/techsup/download/hotfix/HF2/J2L.html#70142A fix for this issue for Data Integration Studio 4.7_M7 is available at:
https://tshf.sas.com/techsup/download/hotfix/HF2/J7S.html#70142A fix for this issue for SAS Deployment Agent 9.49618 is available at:
https://tshf.sas.com/techsup/download/hotfix/HF2/J2V.html#70142A fix for this issue for SAS/GRAPH Java Applets for Web Servers 9.46 is available at:
https://tshf.sas.com/techsup/download/hotfix/HF2/K7C.html#70142A fix for this issue for SAS Marketing Automation 6.6 is available at:
https://tshf.sas.com/techsup/download/hotfix/HF2/H8P.html#70142A fix for this issue for SAS Marketing Optimization 6.6 is available at:
https://tshf.sas.com/techsup/download/hotfix/HF2/H8Q.html#70142A fix for this issue for SAS Risk and Finance Workbench 3.2 is available at:
https://tshf.sas.com/techsup/download/hotfix/HF2/D4L.html#70142| Type: | Problem Note |
| Priority: | medium |
| Date Modified: | 2024-09-26 08:16:46 |
| Date Created: | 2023-06-07 14:17:08 |