SAS Statement Regarding Log4j v1 Vulnerabilities
(CVE-2021-4104 and Others)
Reference Name: Log4j v1 Vulnerabilities (CVE-2021-4104 and others)
Severity: See the Evaluation section below
Status: See the Evaluation section below
History
6-30-2023 - Updated statement about SAS 9.4M7 (TS1M7)
- 3-24-2023 – Added evaluation for CVE-2023-26464
- 2-1-2023 – Updated statement about SAS® 9.4M8 (TS1M8)
- 12-16-2022 – Updated statement regarding the elimination of Log4J v1 from SAS® Viya® 3.5
- 10-20-2022 – Updated planned ship date for SAS® 9.4M8 (TS1M8)
- 9-23-2022 – Updated statement regarding the elimination of Log4j v1 from SAS® Viya® 3.5, SAS® Viya® 3.4, and SAS® 9.4M8 (TS1M8)
- 8-4-2022 – Updated statement regarding the elimination of Log4j v1 from SAS® Viya® 2022.1.3
- 7-28-2022 – Updated statement regarding the date for the elimination of Log4j v1 from SAS® Viya® 3.5
- 6-30-2022 – Revised statement regarding Log4j v1 elimination from SAS® Viya® 3.x and supported versions of SAS® Viya® 2020.1 and later, for clarity
- 6-16-2022 – Updated statement regarding Log4j v1 elimination from SAS® Viya® 3.x and supported versions of SAS® Viya® 2020.1 and later
- 3-3-2022 – Updated statement regarding Log4j v1
- 2-10-2022 – Updated evaluation for CVE-2022-23305
- 2-2-2022 – Bulletin created; information about recent Log4j v1 CVEs moved here from the bulletin for CVE-2021-44228
Summary
SAS has addressed the usage of Log4j v1 in the SAS 9.4M7 release with a security update. If you use SAS 9.4M7 or an earlier SAS 9.4 release, SAS recommends that you update to SAS 9.4M8 or later. As always, SAS recommends that you keep your SAS deployments up to date. The current version of the SAS®9 platform is SAS 9.4M8 (TS1M8). Instructions for upgrading are available.
Evaluation
Log4j v1 is currently included in the SAS® 9.4 and SAS® Viya® platforms.
SAS is aware of the following Log4j v1 vulnerabilities:
| CVE | Severity | Impact |
|---|---|---|
| CVE-2023-26464 | Informational | In their default configuration, the SAS 9.4 and SAS Viya platforms are not vulnerable because Apache Chainsaw and SocketAppender are not used. |
| CVE-2022-23307 | Informational | In their default configuration, the SAS 9.4 and SAS Viya platforms are not vulnerable because Apache Chainsaw is not used. |
| CVE-2022-23305 | Informational | In their default configuration, the SAS 9.4 and SAS Viya platforms are not vulnerable because the JDBCAppender is not configured. |
| CVE-2022-23302 | Informational | In their default configuration, the SAS 9.4 and SAS Viya platforms are not vulnerable because JMSSink is not configured. |
| CVE-2021-4104 | Informational | In their default configuration, the SAS 9.4 and SAS Viya platforms are not vulnerable because the JMSAppender is not configured. |
| CVE-2020-9488 | Informational | In their default configuration, the SAS 9.4 and SAS Viya platforms are not vulnerable because SMTP appenders are not configured. |
| CVE-2019-17571 | Informational | In their default configuration, the SAS 9.4 and SAS Viya platforms are not vulnerable because socket servers are not configured. |
Guidance, Activities, and Plans
June 30, 2023
SAS has addressed the usage of Log4j v1 in the SAS 9.4M7 release with a security update. If you use SAS 9.4M7 or an earlier SAS 9.4 release, SAS recommends that you update to SAS 9.4M8 or later.
February 1, 2023
SAS has eliminated usage of Log4j v1 in the SAS 9.4M8 release. If you use an earlier SAS 9.4 release, SAS recommends that you update to SAS 9.4M8.
December 16, 2022
SAS has eliminated usage of Log4j v1 from SAS Viya 3.5. SAS recommends that you update to the most recent version of your software or any version released on or after November 1, 2022.
October 20, 2022
SAS intends to eliminate usage of Log4j v1 in the future release, SAS 9.4M8. The planned release date for SAS 9.4M8 is January 31, 2023.
September 23, 2022
Efforts are underway to eliminate usage of Log4j v1 from SAS Viya 3.5 with a software update in the fourth quarter of 2022.
SAS recommends that all customers who are using SAS Viya 3.4 upgrade to SAS Viya 3.5 to benefit from the planned elimination of Log4j v1 from SAS Viya 3.5.
SAS intends to eliminate usage of Log4j v1 in the future release, SAS 9.4M8 (TS1M8). The planned release date for SAS 9.4M8 is November 15, 2022.
August 4, 2022
SAS has eliminated usage of Log4j v1 from SAS Viya 2022.1.3 and later with a software update.
July 28, 2022
SAS will eliminate usage of Log4j v1 from SAS Viya 3.5 with a software update by September 1, 2022.
June 30, 2022
In their default configuration, the SAS 9.4 and SAS Viya platforms are not vulnerable to the CVEs currently listed in this bulletin. Regardless, SAS is planning to eliminate Log4j v1 from SAS Viya 3.x and supported versions of SAS Viya 2020.1. Estimated release dates for eliminating Log4j v1 will be announced in August 2022. No customer action is required at this time.
March 3, 2022
Efforts are underway to eliminate usage of Log4j v1 from SAS Viya 3.x and supported versions of SAS Viya 2020.1 and later.
February 2, 2022
No customer action is required at this time.
SAS intends to eliminate usage of Log4j v1 in the future release SAS® 9.4M8 (TS1M8). At this time, the estimated release date for SAS 9.4M8 is in the fourth quarter of 2022.
Contact SAS Technical Support for additional details.
Security Bulletins
View other security bulletins, published as part of our formal PSIRT process.
Technical Support
Get world-class technical support via our support track system.
