SAS Statement Regarding Log4j v1 Vulnerabilities 
(CVE-2021-4104 and Others)

Reference Name: Log4j v1 Vulnerabilities (CVE-2021-4104 and others)
Severity: See the Evaluation section below
Status: See the Evaluation section below


History

6-30-2023 - Updated statement about SAS 9.4M7 (TS1M7)

  • 3-24-2023 – Added evaluation for CVE-2023-26464
  • 2-1-2023 – Updated statement about SAS® 9.4M8 (TS1M8)
  • 12-16-2022 – Updated statement regarding the elimination of Log4J v1 from SAS® Viya® 3.5 
  • 10-20-2022 – Updated planned ship date for SAS® 9.4M8 (TS1M8)
  • 9-23-2022 – Updated statement regarding the elimination of Log4j v1 from SAS® Viya® 3.5, SAS® Viya® 3.4, and SAS® 9.4M8 (TS1M8) 
  • 8-4-2022 – Updated statement regarding the elimination of Log4j v1 from SAS® Viya® 2022.1.3
  • 7-28-2022 – Updated statement regarding the date for the elimination of Log4j v1 from SAS® Viya® 3.5
  • 6-30-2022 – Revised statement regarding Log4j v1 elimination from SAS® Viya® 3.x and supported versions of SAS® Viya® 2020.1 and later, for clarity
  • 6-16-2022 – Updated statement regarding Log4j v1 elimination from SAS® Viya® 3.x and supported versions of SAS® Viya® 2020.1 and later
  • 3-3-2022 – Updated statement regarding Log4j v1
  • 2-10-2022 – Updated evaluation for CVE-2022-23305 
  • 2-2-2022 – Bulletin created; information about recent Log4j v1 CVEs moved here from the bulletin for CVE-2021-44228

 

Summary

SAS has addressed the usage of Log4j v1 in the SAS 9.4M7 release with a security update. If you use SAS 9.4M7 or an earlier SAS 9.4 release, SAS recommends that you update to SAS 9.4M8 or later. As always, SAS recommends that you keep your SAS deployments up to date. The current version of the SAS®9 platform is SAS 9.4M8 (TS1M8). Instructions for upgrading are available.

Evaluation

Log4j v1 is currently included in the SAS® 9.4 and SAS® Viya® platforms.

SAS is aware of the following Log4j v1 vulnerabilities:

CVESeverityImpact
CVE-2023-26464InformationalIn their default configuration, the SAS 9.4 and SAS Viya platforms are not vulnerable because Apache Chainsaw and SocketAppender are not used.   
CVE-2022-23307InformationalIn their default configuration, the SAS 9.4 and SAS Viya platforms are not vulnerable because Apache Chainsaw is not used.   
CVE-2022-23305InformationalIn their default configuration, the SAS 9.4 and SAS Viya platforms are not vulnerable because the JDBCAppender is not configured.
CVE-2022-23302InformationalIn their default configuration, the SAS 9.4 and SAS Viya platforms are not vulnerable because JMSSink is not configured.   
CVE-2021-4104InformationalIn their default configuration, the SAS 9.4 and SAS Viya platforms are not vulnerable because the JMSAppender is not configured.   
CVE-2020-9488 InformationalIn their default configuration, the SAS 9.4 and SAS Viya platforms are not vulnerable because SMTP appenders are not configured.   
CVE-2019-17571InformationalIn their default configuration, the SAS 9.4 and SAS Viya platforms are not vulnerable because socket servers are not configured.   


Guidance, Activities, and Plans 

June 30, 2023

SAS has addressed the usage of Log4j v1 in the SAS 9.4M7 release with a security update. If you use SAS 9.4M7 or an earlier SAS 9.4 release, SAS recommends that you update to SAS 9.4M8 or later.
 

February 1, 2023

SAS has eliminated usage of Log4j v1 in the SAS 9.4M8 release. If you use an earlier SAS 9.4 release, SAS recommends that you update to SAS 9.4M8. 

December 16, 2022

SAS has eliminated usage of Log4j v1 from SAS Viya 3.5. SAS recommends that you update to the most recent version of your software or any version released on or after November 1, 2022. 
 

October 20, 2022

SAS intends to eliminate usage of Log4j v1 in the future release, SAS 9.4M8. The planned release date for SAS 9.4M8 is January 31, 2023. 
 

September 23, 2022 

Efforts are underway to eliminate usage of Log4j v1 from SAS Viya 3.5 with a software update in the fourth quarter of 2022. 

SAS recommends that all customers who are using SAS Viya 3.4 upgrade to SAS Viya 3.5 to benefit from the planned elimination of Log4j v1 from SAS Viya 3.5. 

SAS intends to eliminate usage of Log4j v1 in the future release, SAS 9.4M8 (TS1M8). The planned release date for SAS 9.4M8 is November 15, 2022. 
 

August 4, 2022 

SAS has eliminated usage of Log4j v1 from SAS Viya 2022.1.3 and later with a software update.

July 28, 2022 

SAS will eliminate usage of Log4j v1 from SAS Viya 3.5 with a software update by September 1, 2022.

June 30, 2022

In their default configuration, the SAS 9.4 and SAS Viya platforms are not vulnerable to the CVEs currently listed in this bulletin. Regardless, SAS is planning to eliminate Log4j v1 from SAS Viya 3.x and supported versions of SAS Viya 2020.1. Estimated release dates for eliminating Log4j v1 will be announced in August 2022. No customer action is required at this time.

March 3, 2022 

Efforts are underway to eliminate usage of Log4j v1 from SAS Viya 3.x and supported versions of SAS Viya 2020.1 and later. 
 

February 2, 2022

No customer action is required at this time.  

SAS intends to eliminate usage of Log4j v1 in the future release SAS® 9.4M8 (TS1M8). At this time, the estimated release date for SAS 9.4M8 is in the fourth quarter of 2022. 

Contact SAS Technical Support for additional details. 

Security Bulletins

View other security bulletins, published as part of our formal PSIRT process.

Technical Support

Get world-class technical support via our support track system.

Samples & SAS Notes

Search our extensive Knowledge Base for code samples and SAS Notes.