SAS Statement Regarding Remote Code Execution Vulnerability (CVE-2021-44228)

Reference Name: Remote Code Execution Vulnerability (CVE-2021-44228)
Severity: Critical
Status: Active / Recovery


History (Updated)

History

Note: For each update listed in the History section, new or updated text is marked and is rendered in a darker color. The marks indicate changes from only the immediately preceding version of the bulletin.

  • 9-22-2022 – Updated statements regarding SAS® Viya® 3.5 and SAS® Viya® 3.4  
  • 9-15-2022 - Updated the planned ship date for SAS® 9.4M8 in the Guidance, Activities, and Plans section
  • 5-5-2022 – Updated statements regarding SAS® Life Science Analytics Framework
  • 3-31-2022 – Updated measures and recommendations for SAS® 9.4, given the release of security updates for SAS® 9.4M6 (TS1M6) and SAS® 9.4M7 (TS1M7) on March 31, 2022; updated recommendations for SAS® Fraud Management
  • 3-11-2022 – Updated statement regarding recommendations for SAS® Viya® 3.5 and SAS® Viya® 3.4
  • 3-10-2022 – Updated statement regarding recommendation for SAS® Viya® 2020.1 and later; added links to SAS Help Center for update steps for SAS® Viya® 2020.1 and later, SAS® Viya® 3.5, and SAS® Viya® 3.4 
  • 3-3-2022 – Updated statement regarding completion of delivery of patches for SAS® Viya® 3.4
  • 2-24-2022 – Updated statement regarding completion of delivery of patches for SAS® Viya® 2020.1 and later; updated recommendations for SAS® Risk Management Solutions on SAS® Viya® regarding Apache Solr 
  • 2-17-2022 – Updated recommendations for SAS® Viya® 3.5; updated planned ship date of SAS® 9.4M8 
  • 2-3-2022 – Updated recommendations for SAS® Life Science Analytics Framework
  • 2-2-2022 – Log4j version 1 information and guidance moved to a separate bulletin, SAS Statement Regarding Log4j v1 Vulnerabilities (CVE-2021-4104 and Others)
  • 1-26-2022 (2:00 PM EST) – Updated recommendations for SAS® Event Stream Processing
  • 1-25-2022 (3:00 PM EST) – Updated recommendations for SAS® Data Management Studio and Server 
  • 1-24-2022 (5:00 PM EST) – Added implications of SAS® 9.4 remediations for SAS Software Depot 
  • 1-21-2022 (3:00 PM EST) – Addition of related vulnerability, CVE-2022-23307; updated recommendations for SAS® Life Science Analytics Framework 
  • 1-18-2022 (5:00 PM EST) – Updated guidance and recommendations for SAS® Viya® 2020.1 and later (given the release of SAS® Viya® 2021.2.3 on January 19, 2022)
  • 1-14-2022 (5:00 PM EST) – Removal of product-specific steps for SAS® Visual Investigator that were referenced in the recommendations for other products and solutions; updated recommendations for SAS® Enterprise Session Monitor and SAS® Risk Management Solutions (SAS Viya) 
  • 1-13-2022 (5:00 PM EST) – Addition of Log4j 2.17.1+ delivery dates for SAS® 9.4M6, SAS® 9.4M7, and SAS® Viya® 3.4; clarified information regarding elimination of Log4j version 1 with the SAS® 9.4M8 release; addition of links to SAS Notes for SAS® 9.4, SAS® Viya®3.4, and SAS® Viya®3.5; updated recommendations for SAS® Business Orchestration Services, SAS® Grid Manager, SAS® Scalable Performance Data Engine, and JMP® products
  • 1-11-2022 (5:00 PM EST) - Guidance for deployments that provide access from Base SAS® to Hadoop; updated recommendations for SAS® Visual Investigator; detailed evaluations and recommendations for SAS® Data Loader for Hadoop, SAS® Scalable Performance Data Engine, and SAS/ACCESS® 
  • 1-10-2022 (4:00 PM EST) - Plans for updating to Log4j 2.17.1+ in SAS® 9.4M6 (TS1M6); updated recommendations for SAS® Anti-Money Laundering, SAS® Customer Due Diligence, and SAS® Enterprise GRC (under the SAS® Risk Management Solutions (SAS® 9.4) listing)
  • 1-7-2022 (4:00 PM EST) - Updated recommendations for SAS® Data Management Studio and SAS® Data Management Server
  • 1-6-2022 (5:00 PM EST) - Guidance for SAS® Viya 2020.1 and later deployments containing Open Distro for Elasticsearch; updated recommendations for SAS® Anti-Money Laundering,  SAS® Customer Due Diligence, and SAS® Life Science Analytics Framework 
  • 1-5-2022 (5:00 PM EST) - Guidance for handling third-party scan results after removing the JndiLookup class; detailed evaluations and recommendations for SAS® Enterprise Session Monitor; recommendations for additional versions of SAS® Merchandise Planning
  • 1-4-2022 (6:00 PM EST) - Mapping of mitigation and remediation measures to specific Log4j CVEs; plans for delivery of Log4j versions 2.17.1+; detailed evaluation and recommendation for SAS® 9 Content Assessment
  • 1-3-2022 (5:30 PM EST) - Updated guidance for SAS® 9.4; detailed evaluations and recommendations for SAS® Add-In for Microsoft Office and SAS® Enterprise Guide®
  • 12-28-2021 (5:30 PM EST) - Addition of related vulnerability, CVE-2021-44832
  • 12-24-2021 (12:00 PM EST) - Automated approach to remediation on SAS® Viya® 3.x  (loguccino) with corresponding adjustments in guidance and instructions; plans for updating to Log4j 2.17; detailed evaluations and recommendations for SAS® Analytics Accelerator for Teradata, SAS® Data Management Studio and Server, SAS® Data Quality Accelerators, SAS® Grid Manager, SAS® In-Database Technologies, SAS® Scoring Accelerators, SAS® Visual Analytics, and SAS® Visual Analytics Apps
  • 12-22-2021 (9:00 PM EST) - Automated approach to remediation on SAS® 9.4 (Loguccino); removal of JndiLookup class on server vs client machines; detailed evaluations and recommendations for SAS® API for ThreatMetrix Offerings, SAS® Campaign Management, SAS® Clinical Trial Data Transparency, SAS® Continuous Monitoring Offerings, SAS® Customer Intelligence 360 Discover, SAS® Customer Intelligence 360  Engage: Digital, SAS® Customer Intelligence 360  Engage: Direct, SAS® Customer Intelligence 360 Engage: Email, SAS® Customer Intelligence 360 Engage: Optimize, SAS® Customer Intelligence 360 Match, SAS® Customer Intelligence 360 Plan, SAS® Detection and Investigation Offerings, SAS® Financial Crimes Analytics (on SAS® Viya®), SAS® Life Science Analytics Framework 5.4, SAS® Life Science Analytics Framework APIs and Extensions, SAS® Marketing Automation, SAS® Marketing Optimization, SAS® Orchestration Adapters, and SAS® Real-Time Decision Manager 
  • 12-21-2021 (8:00 PM EST) - Clarification of guidance for unauthenticated versus authenticated remote code execution; updated evaluations and recommendations for SAS® Platforms and SAS® Cloud Solutions; in the SAS® 9.4 instructions, added SAS Software Depot to the list of directories to search; evaluation of SAS® 9.3 and SAS® 9.2; detailed evaluations and recommendations for SAS® Cost and Profitability Management, SAS® Demand Planning, SAS® Demand Signal Repository, SAS® Financial Management, SAS® Financial Planning and Assortment Planning, SAS® Forecast Analyst Workbench, SAS® Intelligence and Investigation Management (versions 1.2-1.4), SAS® Intelligent Planning, SAS® Inventory Optimization, SAS® Inventory Optimization Workbench, SAS® IT Resource Management, SAS® IT Resource Management for SAP, SAS® Markdown Optimization, SAS® Merchandise Allocation, SAS® Merchandise Planning, SAS® Pack Optimization, SAS® Profitability Management, SAS® Promotion Optimization, SAS® Regular Price Optimization, SAS® Size Optimization, SAS® Size Profiling, and SAS® Visual Investigator (version 10.4)
  • 12-20-2021 (6:00 PM EST) – Reformatting of bulletin page; addition of CVE-2021-45105 to the related vulnerabilities; revised versioning information for the upcoming scan-fix tool; addition of z/OS within the platform-level instructions for SAS® 9.4; detailed evaluations and recommendations for SAS® Adaptive Learning and Intelligent Agent System (version 10.5.1), SAS® Intelligence and Investigation Management, SAS® Life Science Analytics Framework, and SAS® Visual Investigator (versions 10.5 and 10.5.1)
  • 12-17-2021 (10:00 PM EST) - Mitigation and remediation steps for SAS software, including upcoming repository scan-fix tool; instructions for SAS® Viya® 3.3; additional guidance for SAS® Cloud Solutions; solution guidance that aligns with dependent SAS products; updated information for SAS® Anti-Money Laundering, SAS® Customer Due Diligence, and SAS® Fraud Management; evaluations and recommendations for SAS® Analytics for IoT, SAS® Asset Performance Analytics, SAS® Energy Forecasting, SAS® Event Stream Processing, SAS® Field Quality Analytics, SAS® Production Quality Analytics, SASPy Python Interface to MVA SAS, SAS® Quality Analytic Suite, and SAS® Risk Management Solutions on both the 9.4 and SAS Viya platforms
  • 12-16-2021 (6:00 PM EST) - Assessment of unauthenticated remote code execution (RCE) exploits (not possible); update on Memex® products and SAS® Customer Intelligence 360; evaluations and recommendations for SAS® Viya® 2020.1 and later deployments with Open Distro for Elasticsearch, SAS® Adaptive Learning and Intelligent Agent System, SAS® Anti-Money Laundering, SAS® Customer Due Diligence, SAS® Identity 360, SAS® Real-Time Screening, and SAS® Visual Investigator  
  • 12-16-2021 (7:00 AM EST) - Update on Memex® products
  • 12-15-2021 (11:00 PM EST) - Vulnerability scan guidance; additional guidance for SAS® 9.4; links to instructions for SAS® 9.4 and SAS® Viya® 2020.1 and later; update for IDeaS® products; update on remediation status for SAS® Customer Intelligence 360; evaluations and recommendations for SAS® Fraud Management and SAS® Business Orchestration Services
  • 12-15-2021 (1:00 PM EST) - Additional information about Memex® products, where to obtain updated signatures, and how to subscribe to bulletin updates 
  • 12-14-2021 (8:00 PM EST) – Minor corrections within the Security Bulletin page, along with a "next update expected" announcement
  • 12-14-2021 (3:00 PM EST) – Updates within the Security Bulletin page, including information about related vulnerabilities, links to instructions for SAS® Viya® 3.4 and SAS® Viya® 3.5, and evaluations and recommendations for SAS platforms, cloud solutions, and products 
  • 12-13-2021 – Updates made to Security Bulletin page regarding product impacts, given that public guidance has concluded that more recent Java versions cannot be considered as mitigating controls against this vulnerability; clarification of vulnerability and response efforts
  • 12-12-2021 – Initial solution and mitigation steps added
  • 12-11-2021 – Security Bulletin published
  • 12-09-2021 – Initial acknowledgment and investigation started

Impact, Description, and Related Vulnerabilities

Impact

SAS is investigating the remote code execution vulnerability in the Apache Log4j Java logging library (CVE-2021-44228). The vulnerability was initially disclosed on December 9, 2021. The vulnerability is also known as Log4Shell. It is rated with the highest CVSS base score of 10.0 / Critical. If exploited, it could potentially allow a remote unauthenticated attacker who can control log messages or log message parameters to execute arbitrary code loaded from LDAP servers and take complete control of the system. The vulnerability affects Log4j versions 2.0 through 2.14.1.

Description

Log4j is an open-source, Java based logging framework that is widely used in commercial and open-source software products to keep a record of activity within an application. As soon as SAS learned about this vulnerability, its security and R&D teams began detection and evaluation activities, methodically examining log files for any services using affected Log4j versions related to its software products and SAS® Cloud solutions. In addition, SAS contacted its security vendors for identification and assessment of third-party products used in its solutions. 

Related Vulnerabilities

SAS is aware of the following related vulnerabilities. The R&D and security teams have triaged these for exposure and resolution. Details are available in the Guidance, Activities, and Plans section.

As additional Log4j vulnerabilities are discovered, SAS will prioritize them for exposure analysis and steps to resolution.

See also the security bulletin for SAS' assessment of Log4j v1 issues.

Guidance, Activities, and Plans (Updated)

Guidance, Activities, and Plans

SAS is conducting an ongoing investigation into its use of Log4j. The scope of the investigation is as follows: SAS 9.4 platform, SAS Viya platforms (3.3 and later), and the SAS 9 Logon process. At this time, the results of the investigation are as follows:

  • For unauthenticated remote code execution (RCE) exploits, the investigation indicates that unauthenticated RCE exploits are not possible at this time. This conclusion is based on the security community’s current understanding of CVE-2021-44228. 
  • For potential authenticated RCE exposures, this bulletin documents mitigating those exposures as they are identified.
  • Client-side components from SAS do not require mitigation. Some client components contain earlier versions of Log4j, but normal usage of Log4j in those client components does not involve inbound connections, which are the basis of attacks that are related to the CVEs in this bulletin.

As the security community's understanding of Log4j vulnerabilities evolves, and SAS continues its investigation, SAS will address any new findings and surface concerns to customers.

Here is a summary of SAS activities in support of industry-standard mitigation and remediation measures:

Measure: In your deployment, add the JRE argument -Dlog4j2.formatMsgNoLookups=true.

This measure is a partial mitigation for CVE-2021-44228.

Consider using this measure in contexts where no other measure is available. For example, if you have SAS Viya 2020.1 or later and you cannot immediately update to at least SAS Viya 2021.2.3, you might choose to set the JRE argument. SAS provides instructions for setting the JRE argument in that context. 

Measure: In your deployment, remove the JndiLookup class from vulnerable versions of Log4j v2.

This measure is a comprehensive mitigation for CVE-2021-44228 and CVE-2021-45046, but it is not durable. You must re-apply this measure after each deployment-related activity (hot fix, update, or addition of software).

Note: Third-party scanning tools often base their results on the version information of the JAR file and do not account for JAR files that have been patched in this manner. You might continue to see false positives depending on how your tool is designed to detect remediation.

SAS recommends that you use this measure until SAS software that has a newer version of Log4j v2 is available. When you use this measure, you do not need to undo any previous measures. 

Note: For SAS Viya 2020.1 and later, this measure is not supported. (SAS Viya 2020.1 and later is distributed via Docker images, which are not compatible with this measure.)

Measure: Use SAS software that has a newer version of Log4j.

This measure is the primary and definitive mitigation for Log4j v2 vulnerabilities. In this measure, you update your SAS software as patches and new versions become available. 

When you use this measure, you do not need to undo any previous measures. Here are details by SAS platform:

  • SAS has delivered all planned patches for SAS Viya 2020.1 and later. All supported cadences are at version 2.17.1 of Log4j, which fixes CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, and CVE-2021-44832. 
  • SAS has delivered all planned patches to remediate Log4j v2 in SAS Viya 3.4 and SAS Viya 3.5. The SAS Viya 3.4 and SAS Viya 3.5 platforms, products, and solutions are at version 2.17.1 of Log4j. 
  • SAS has delivered software including version 2.17.1+ of Log4j for SAS 9.4M6 and SAS 9.4M7 (via SAS Security Updates released March 31, 2022). 

Note: 2.17.1+ refers to version 2.17.1 or later, which is expected to fix the following Log4j v2 vulnerabilities: CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, and CVE-2021-44832. In each update in the preceding list, SAS intends to include the version of Log4j v2 that is most recent and has the least security risk.

  • In SAS 9.4M8 (a future release), SAS plans to provide comprehensive updates to address CVEs, including those attributable to Log4j. Planned ship date: November 15, 2022.

Tip: Use the SAS Hot Fix Announcements page to determine the availability of hot fixes for SAS 9.4 and SAS Viya 3.x platforms, products, and solutions.

Detailed Evaluations and Recommendations

SAS® Platforms |  SAS® Products and Solutions | SAS® Cloud Solutions | Other Products

SAS® Platforms

SAS® Viya® 2020.1 and later

The predominant logging mechanism that is used in the product does not involve Log4j. While there are instances of Log4j in the product, at this time there is no known usage where user input is passed through the UIs or application programming interfaces (APIs) to Log4j.

  • SAS has delivered all planned patches for SAS Viya 2020.1 and later. All supported cadences are at version 2.17.1 of Log4j. 
  • SAS recommends that you use a supported version with all available patches applied. Instructions about how to update your software are available in the SAS help Center.
    • If you previously set a JRE argument, you do not have to undo that change.
    • If you are not able to update immediately, consider setting the log4j2.formatMsgNoLookups system property to trueInstructions are available.
  • If your deployment includes Open Distro for Elasticsearch, either upgrade to SAS Viya 2021.2.2 (or later) or make sure that you are using a supported version of SAS Viya, with the latest patches. Instructions for mitigating Open Distro for Elasticsearch have been removed.
  • If your deployment provides access from Base SAS® to Hadoop, see the mitigation guidance for SAS/ACCESS® Interface to Hadoop (in this bulletin).

SAS® Viya® 3.5 (Updated)

  • SAS has delivered all planned patches to remediate Log4j v2 in SAS Viya 3.5. The SAS Viya 3.5 platform, products, and solutions are at version 2.17.1 of Log4j. 
  • SAS recommends that you update to the latest version of SAS Viya 3.5. Instructions about how to update your software are available in the SAS Help Center.
    • If you previously set a JRE argument, you do not have to undo that change. 
    • If you are not able to update immediately, SAS recommends that you use loguccino to find and patch occurrences of vulnerable Log4j version 2 JAR files. Instructions are available.
  • If your deployment provides access from Base SAS® to Hadoop, see the mitigation guidance for SAS/ACCESS® Interface to Hadoop (in this bulletin).

SAS® Viya® 3.4 (Updated)

  • SAS has delivered all planned patches to remediate Log4j v2 in SAS Viya 3.4. The SAS Viya 3.4 platform, products, and solutions are at version 2.17.1 of Log4j. 
  • SAS recommends that you update to the latest version of SAS Viya 3.4. Instructions about how to update your software are available in the SAS Help Center. 
    • If you are not able to update immediately, SAS recommends that you use loguccino to find and patch occurrences of vulnerable Log4j version 2 JAR files. Instructions are available. 
  • If your deployment provides access from Base SAS® to Hadoop, see the mitigation guidance for SAS/ACCESS® Interface to Hadoop (in this bulletin).

SAS® Viya® 3.3

  • SAS recommends that you use loguccino to find and patch occurrences of vulnerable Log4j version 2 JAR files. Instructions are available. Note: Loguccino is similar to logpresso but customized for SAS software. SAS appreciates the excellent work of the logpresso team.
  • If you previously set a JRE argument, you do not have to undo that change. You should also use loguccino.  
  • If your deployment provides access from Base SAS® to Hadoop, see the mitigation guidance for SAS/ACCESS® Interface to Hadoop (in this bulletin).

SAS® 9.4

In addition to following any applicable platform-level instructions, all customers should follow any applicable product-level guidance. See SAS Products and Solutions.

If your deployment provides access from Base SAS® to Hadoop, see the mitigation guidance for SAS/ACCESS® Interface to Hadoop.

For the M0, M1, M2, M3, M4, and M5 maintenance releases of the SAS 9.4 platform, no customer action is needed.

For the M6 and M7 maintenance releases of the SAS 9.4 platform, recommendations are as follows:

  • If you have SAS® Fraud Management, see SAS Note 69006 instead of the recommendations in this section. 
  • Otherwise, SAS recommends that you apply the SAS Security Updates that became available on March 31, 2022.
    • First, review the instruction document that is linked at the top of the SAS Security Updates and Hot Fixes page.
    • Then, use loguccino to find and patch any remaining occurrences of vulnerable Log4j version 2 JAR files. Instructions are available. As additional updates become available, repeat this process until no remaining occurrences of vulnerable Log4j version 2 JAR files are found.

      Be aware that the hot fix creates a backup of the files that it replaces. After you apply the hot fix, you might find vulnerable instances of Log4j version 2 JAR files in a TAR file in your backup directory. It is not necessary to delete that TAR file, but deleting it will not cause problems.
       
  • At this time, SAS Note 68756 lists a few partial, product-specific updates. At the bottom of the SAS Security Updates and Hot Fixes page, you will find a link to the SASHFADD tool that can also be used to identify and download product-specific hot fixes applicable to your deployment. 
  • If you are not able to update immediately, SAS recommends that you use loguccino to find and patch occurrences of vulnerable Log4j version 2 JAR files. Instructions are available. 
    • Be aware that your SAS Software Depot might contain Log4j JAR files that are within the scope of CVE-2021-44228. The presence of those files in that location does not constitute an exploitable instance of that vulnerability. Modifying any file in a depot might cause future installation activities to fail. SAS recommends that you rerun loguccino after each installation activity, instead of modifying any Log4j JAR files in your depot.
    • Be aware that if you use the SAS® Installation Qualification Tool after mitigation, you will see failures in the report summary that the tool produces. In addition, the report details will show checksums of the modified log4j2.jar files that do not match the checksums of the originally installed files.
    • If you previously set a JRE argument, you do not have to undo that change. You should also use loguccino.
    • For customers who prefer manual remediation, manual instructions are available.

SAS® 9.3 and SAS® 9.2

  • No customer action is recommended at this time.
  • No vulnerable versions of Log4j were delivered with SAS 9.3 or SAS 9.3 hot fixes.
  • No vulnerable versions of Log4j were delivered with SAS 9.2 or SAS 9.2 hot fixes.

SAS® Products and Solutions

All customers should follow the relevant platform guidance in the preceding section. For any supported SAS 9.4 or SAS Viya product or solution that is not listed below, investigation is ongoing. 

SAS® Adaptive Learning and Intelligent Agent System

Versions 10.6 and 10.7:

To reduce risk, follow the instructions for: 

Version 10.5.1:

To reduce risk, follow the instructions for:

SAS® Add-In for Microsoft Office

SAS Add-In for Microsoft Office is not impacted. It is not a Java based application and thus does not use any JAR files, including Log4j.

Because other applications in the SAS 9.4 environment might be impacted, reduce risk by following the instructions for:

SAS® Analytics Accelerator for Teradata

SAS does not deliver any third-party JAR files with its in-database products. 

No customer action is recommended at this time.

SAS® Analytics for IoT

On SAS Viya 2020.1 and later, this product does not include log4j-core-2.x.

As a precautionary, mitigating action, follow the instructions for: 

On SAS Viya 3.5, this product does not include log4j-core-2.x

As a precautionary, mitigating action, follow the instructions for: 

SAS® Anti-Money Laundering

Versions 8.1 and 8.2 (SAS Viya 3.5):

To reduce risk, follow the instructions for:

Version 7.1 (SAS 9.4):

The SAS Anti-Money Laundering 7.1 package includes SAS® Data Management Standard 2.9, which contains Log4j version 2.13. See the entry for SAS Data Management Studio and SAS Data Management Server 2.9 (in this bulletin).

Then, as a precautionary, mitigating action, follow the instructions for:

 

SAS® API for ThreatMetrix Offerings

This section applies to the following products:

  • SAS® API for ThreatMetrix E-commerce Application
  • SAS® API for ThreatMetrix E-commerce Login
  • SAS® API for ThreatMetrix E-commerce Payment
  • SAS® API for ThreatMetrix Financial Services Application
  • SAS® API for ThreatMetrix Financial Services Login
  • SAS® API for ThreatMetrix Financial Services Payment

See the entry for SAS Business Orchestration Services (in this bulletin).

SAS® Asset Performance Analytics

On SAS 9.4 M7:

The Log4j JAR file might be present in a SAS 9.4M7 installation, but none of the SAS Quality Suite solutions use it. As a precautionary, mitigating action, follow the instructions for:

SAS® Business Orchestration Services

Mitigating vulnerability CVE-2021-44228 in SAS Business Orchestration Services requires a restart after modifying an affected JAR file.

SAS recommends that you use  loguccino  to find and patch occurrences of vulnerable Log4j version 2 JAR files for the following versions:

  • SAS Business Orchestration Services 10.1
  • SAS Business Orchestration Services 10.1 HF1

Versions 10.2 and later are not affected by CVE-2021-44228. 

For SAS Business Orchestration Services 1.2 and 1.3, follow the instructions for:

SAS® Campaign Management

The SAS Customer Intelligence solutions do not leverage the versions of Log4j that are referenced in CVE-2021-44228. However, the affected JAR files are present in the SAS 9.4 environment.

As a precautionary, mitigating action, follow the instructions for:

SAS® Clinical Trial Data Transparency

Version 2.3:

SAS Clinical Trial Data Transparency 2.3 does not include log4j-core-2.x in the core application. Protective controls that are already in place for SAS Life Science Analytics Framework customers include the vulnerability mitigation steps that are described in this bulletin for SAS Cloud Solutions. As fixes for underlying software are released, patching will further mitigate the risk of this vulnerability.

SAS® 9 Content Assessment

SAS 9 Content Assessment does not include the versions of Log4j version 2 that are referenced in CVE-2021-44228. 

SAS® Continuous Monitoring Offerings

This section applies to the following products:

  • SAS® Continuous Monitoring for Procurement Integrity
  • SAS® Continuous Monitoring Framework

To reduce risk, follow the instructions for:

SAS® Cost and Profitability Management

Versions 8.1, 8.1M1, 8.1M2, 8.1M4 through 8.1M7, 8.3, 8.4, and 8.4M1:

To reduce risk, follow the instructions for:

Versions 7.11 and 7.2 (SAS® Activity-Based Management):

No customer action is recommended at this time.

These versions were built on SAS 9.3. No vulnerable versions of Log4j were delivered with SAS 9.3.

SAS® Customer Due Diligence

Version 8.2 (SAS Viya 3.5):

To reduce risk, follow the instructions for: 

Version 7.1 (SAS 9.4):

The SAS Customer Due Diligence 7.1 package includes SAS Data Management Standard 2.9, which contains Log4j version 2.13. See the entry for SAS Data Management Studio and SAS Data Management Server 2.9 in this bulletin.

Then, as a precautionary, mitigating action, follow the instructions for:

SAS® Customer Intelligence 360 Discover

Protective controls that are already in place for SAS Customer Intelligence 360 customers include the network configuration, version of Java, and limited exposure to Log4j.

Given the interactions with existing SAS products and the community research relating to CVE-2021-44228, SAS has concluded that unauthenticated remote code execution (RCE) is not possible. Out of an abundance of caution, a scheduled maintenance on December 15, 2021, completed the remediation that was recommended for this vulnerability, including removing the JndiLookup.class file from any Log4j-core JAR files present in the environment.

SAS® Customer Intelligence 360 Engage: Digital

Protective controls that are already in place for SAS Customer Intelligence 360 customers include the network configuration, version of Java, and limited exposure to Log4j. 

Given the interactions with existing SAS products and the community research relating to CVE-2021-44228, SAS has concluded that unauthenticated remote code execution (RCE) is not possible. Out of an abundance of caution, a scheduled maintenance on December 15, 2021, completed the remediation that is recommended for this vulnerability, including removing the JndiLookup.class file from any Log4j-core JAR files present in the environment.

SAS® Customer Intelligence 360 Engage: Direct

Protective controls that are already in place for SAS Customer Intelligence 360 customers include the network configuration, version of Java, and limited exposure to Log4j.

Given the interactions with existing SAS products and the community research relating to CVE-2021-44228, SAS has concluded that unauthenticated remote code execution (RCE) is not possible. Out of an abundance of caution, a scheduled maintenance on December 15, 2021, completed the remediation that was recommended for this vulnerability, including removing the JndiLookup.class file from any Log4j-core JAR files present in the environment.

The SAS Customer Intelligence 360 Engage: Direct Agent does not leverage the versions of Log4j that are referenced in CVE-2021-44228. However, the affected JAR files are present in the SAS 9.4 environment.

As a precautionary, mitigating action, follow the instructions for:

SAS® Customer Intelligence 360 Engage: Email

Protective controls that are already in place for SAS Customer Intelligence 360 customers include the network configuration, version of Java, and limited exposure to Log4j.

Given the interactions with existing SAS products and the community research relating to CVE-2021-44228, SAS has concluded that unauthenticated remote code execution (RCE) is not possible. Out of an abundance of caution, a scheduled maintenance on December 15, 2021, completed the remediation that was recommended for this vulnerability, including removing the JndiLookup.class file from any Log4j-core JAR files present in the environment.

SAS® Customer Intelligence 360 Engage: Optimize

Protective controls that are already in place for SAS Customer Intelligence 360 customers include the network configuration, version of Java, and limited exposure to Log4j.

Given the interactions with existing SAS products and the community research relating to CVE-2021-44228, SAS has concluded that unauthenticated remote code execution (RCE) is not possible. Out of an abundance of caution, a scheduled maintenance on December 15, 2021, completed the remediation that was recommended for this vulnerability, including removing the JndiLookup.class file from any Log4j-core JAR files present in the environment.

The SAS Customer Intelligence 360 Engage: Optimize Agent does not leverage the versions of Log4j that are referenced in CVE-2021-44228. However, the affected JAR files are present in the SAS 9.4 environment.

As a precautionary, mitigating action, follow the instructions for:

SAS® Customer Intelligence 360 Match

SAS Customer Intelligence 360 Match is not affected by CVE-2021-44228.

SAS® Customer Intelligence 360 Plan

Protective controls that are already in place for SAS Customer Intelligence 360 customers include the network configuration, version of Java, and limited exposure to Log4j.

Given the interactions with existing SAS products and the community research relating to CVE-2021-44228, SAS has concluded that unauthenticated remote code execution (RCE) is not possible. Out of an abundance of caution, a scheduled maintenance on December 15, 2021, completed the remediation that was recommended for this vulnerability, including removing the JndiLookup.class file from any Log4j-core JAR files present in the environment.

SAS® Data Loader for Hadoop

SAS® Data Loader 3.1 for Hadoop: 

Interactions between the Hadoop client (running the SAS session) and the Hadoop environment are initiated by an outbound connection from the SAS client. No server is listening on a port for random connections that would accept arbitrary user input and then exercise the vulnerable code path. 

After you upgrade Log4j in your Hadoop cluster, rerun the Hadoop tracer script. Instructions are available. 

SAS® Data Management Studio and SAS® Data Management Server

Version 2.9:

SAS Data Management Studio (formerly known as DataFlux® Data Management Studio) and SAS Data Management Server 2.9 include Log4j version 2.13. Follow the instructions in SAS Note 68699 to apply a hot fix to every instance of both SAS Data Management Studio and SAS Data Management Server in your installation. The hot fix has been updated to now include version 2.17.1 of Log4j.

A Log4j JAR file might be present in other components or products of the SAS 9.4 installation.

As a precautionary, mitigating action, follow the instructions for:

Versions 2.8 and earlier:

SAS Data Management Studio and SAS Data Management Server 2.8 and earlier versions do not include Log4j version 2 (which is the version associated with CVE-2021-44228).

A Log4j JAR file might be present in other components or products of the SAS 9.4 installation.

As a precautionary, mitigating action, follow the instructions for:

SAS® Data Quality Accelerator for Teradata

SAS does not deliver any third-party JAR files with its in-database products.

No customer action is recommended at this time.

SAS® Demand Planning

Versions 8.2 and 8.21:

To reduce risk, follow the instructions for:

SAS® Demand Signal Repository

Version 5.4 bundle:

To reduce risk, follow the instructions for:

SAS® Detection and Investigation Offerings

This section applies to the following industry-specific offerings:

  • SAS® Detection and Investigation for Banking
  • SAS® Detection and Investigation for Government
  • SAS® Detection and Investigation for Health Care
  • SAS® Detection and Investigation for Insurance

To reduce risk, follow the instructions for:

SAS® Energy Forecasting

SAS 9.4 M7:

A Log4j JAR file might be present in a SAS 9.4M7 installation, but none of the SAS Quality Suite solutions use it.

As a precautionary, mitigating action, follow the instructions for:

SAS® Enterprise Guide®

SAS Enterprise Guide is not impacted. It is not a Java based application and thus does not use any JAR files, including Log4j.

Because other applications in the SAS 9.4 environment might be impacted, reduce risk by following the instructions for:

SAS® Enterprise Session Monitor

Versions 2019.x and earlier:

No customer action is recommended at this time.

Versions 2020.3.x, 2020.4.x, 2021.1.0, and 2021.1.1:

SAS' current understanding is that SAS Enterprise Session Monitor, in its default configuration, is not vulnerable to CVE-2021-45046.

Only the agent component of SAS Enterprise Session Monitor is affected by CVE-2021-44228.

SAS recommends that you upgrade to the latest patch release for the version of the agent(s) that you are running.

  • 2020.3.x customers should upgrade their agent(s) to 2020.3.10.
  • 2020.4.x customers should upgrade their agent(s) to 2020.4.6.
  • 2021.1.x customers should upgrade their agent(s) to 2021.1.3.

These releases upgrade the Log4j version that is used by the agent(s) to 2.17.1.

SAS® Event Stream Processing

On SAS Viya 2020.1 and later, this product does not include log4j-core-2.x.

As a precautionary, mitigating action, follow the instructions for:


Version 6.2.3 (SAS Viya 3.5):

One component, the Event Stream Processing Metering server, contains log4j-core-2.7.jar. A hot fix has been released that removes Log4j version 2 entirely from this component. Follow the instructions in SAS Note 68757 to apply this hot fix and remove the vulnerable Log4J JAR file from your SAS Event Stream Processing 6.2.3 installation.

As a precautionary, mitigating action, follow the instructions for:

Versions 6.2, 6.2.1, and 6.2.2 (SAS Viya 3.5) do not include log4j-core-2.x.

As a precautionary, mitigating action, follow the instructions for:

Versions 6.1 and earlier do not contain Log4j version 2. As a precautionary, mitigating action, follow the instructions for the applicable platform:

For version 4.3 (on SAS Viya 3.2), platform-level instructions are not yet available.

SAS® Field Quality Analytics

On SAS Viya 2020.1 and later, this product does not include log4j-core-2.x.

As a precautionary, mitigating action, follow the instructions for:

SAS 9.4 M7: The Log4j JAR file might be present in a SAS 9.4M7 installation, but none of the SAS Quality Suite solutions use it.

As a precautionary, mitigating action, follow the instructions for:

SAS® Financial Crimes Analytics (on SAS® Viya®)

To reduce risk, follow the instructions for:

SAS® Financial Management

Versions 2021.2.1 and later:

To reduce risk, follow the instructions for:

Versions 5.4, 5.4M1, 5.5, 5.6, and 5.61:

To reduce risk, follow the instructions for:

Versions 5.3 and 5.3M1:

No customer action is recommended at this time. 

These versions were built on SAS 9.3. No vulnerable versions of Log4j were delivered with SAS 9.3.

SAS® Financial Planning and Assortment Planning

Versions 8.2 and 8.21:

To reduce risk, follow the instructions for:

SAS® Forecast Analyst Workbench

Versions 5.2, 5.2M1, 5.2M2, 5.3, 5.3M1, and 5.4:

To reduce risk, follow the instructions for:

SAS® Fraud Management

SAS Fraud Management does not have any known technical or functional dependency on the feature of Log4j that has CVE-2021-44228 and CVE-2021-45046 vulnerabilities.

As a precautionary measure, see SAS Note 69006.

SAS® Grid Manager, including SAS® Grid Manager for Platform

To reduce risk, follow the instructions for:

SAS® Identity 360

Protective controls that are already in place for SAS Identity 360 customers include the network configuration/IP allow listing, limited exposure to Log4j in components that are directly reachable, and the vulnerability mitigation steps recommended in this bulletin. As permanent fixes for underlying software are released, future patching will further mitigate the risk of this vulnerability.

SAS® In-Database Technologies

SAS does not deliver any third-party JAR files with its in-database products.

This section applies to the following products:

  • SAS® In-Database Technologies for Azure Synapse Analytics
  • SAS® In-Database Technologies for Databricks
  • SAS® In-Database Technologies for Teradata

No customer action is recommended at this time.

This section applies to the following products:

SAS® In-Database Technologies for Hadoop:

The instructions for configuring the Hadoop client require that the customer gather JAR files from their Hadoop deployment using the Hadoop tracer. See Obtain and Run Hadoop Tracer Script for instructions. The Hadoop tracer pulls in Log4j from the Hadoop deployment. 

Interactions between the Hadoop client (running the SAS session) and the Hadoop environment are initiated by an outbound connection from the SAS client. No server is listening on a port for random connections that would accept arbitrary user input and then exercise the vulnerable code path.

As a precautionary, mitigating action for Hadoop deployments, follow these instructions:

  • Rerun the Hadoop tracer.
  • Replace the Hadoop JAR files for the Hadoop client configuration to ensure that a non-vulnerable version of Log4j is used in the code path.

SAS® Intelligence and Investigation Management

Versions 8.1 through 8.3, including hot fixes:

To reduce risk, follow the instructions for:

For earlier product versions, investigations are ongoing.

SAS Intelligence and Investigation Management versions 8.1 - 8.3 ship with SAS Event Stream Processing 6.2 on SAS Viya 3.5. Depending on your minor version and hot-fix level, see the product-specific guidance for SAS Event Stream Processing (in this bulletin). 

Versions 1.3 and 1.4:

To reduce risk, follow the instructions for:

Version 1.2:

To reduce risk, follow the instructions for:

SAS® Intelligent Planning

Versions 2020.1.1 and later:

To reduce risk, follow the instructions for:

Versions 8.22 through 8.24:

To reduce risk, follow the instructions for:

SAS® Inventory Optimization

Versions 2020.1.5 and later:

To reduce risk, follow the instructions for:

SAS® Inventory Optimization Workbench

Versions 5.2, 5.2M2, 5.3, 5.31, and 5.4:

To reduce risk, follow the instructions for:

Version 5.1:

No customer action is recommended at this time. 

This version was built on SAS 9.3. No vulnerable versions of Log4j were delivered with SAS 9.3.

SAS® IT Resource Management

Versions 3.4 through 3.11:

To reduce risk, follow the instructions for:

Versions 3.21 and 3.3:

No customer action is recommended at this time. 

These versions were built on SAS 9.3. No vulnerable versions of Log4j were delivered with SAS 9.3.

SAS® IT Resource Management for SAP

Versions 3.4 through 3.11:

To reduce risk, follow the instructions for:

Versions 3.21 and 3.3:

No customer action is recommended at this time. 

These versions were built on SAS 9.3. No vulnerable versions of Log4j were delivered with SAS 9.3.

SAS® Life Science Analytics Framework

Version 5.4: 

Protective controls in place for SAS Life Science Analytics Framework (LSAF) customers include the version of Java (1.8.0_292) and the vulnerability mitigation steps that are described in this bulletin for SAS Cloud Solutions. Loguccino reported that there are no vulnerable JAR files in the SAS 9.4 release of LSAF 5.4.

Versions 5.2 through 5.3:

Protective controls in place for LSAF customers include the vulnerability mitigation steps that are described in this bulletin for SAS Cloud Solutions. All LSAF 5.2 and 5.3 customer instances have been updated to use Log4j version 2.17.0. Loguccino was run on all customer instances to find and patch any vulnerable JAR files in SAS 9.4.

Version 5.1:

LSAF 5.1 does not include log4j-core-2.x in the core application. Protective controls in place for LSAF customers include the vulnerability mitigation steps described in this bulletin for SAS Cloud Solutions. Loguccino was run on all customer instances to find and patch any vulnerable JAR files in SAS 9.4.

LSAF Java API and LSAF Macro API 2.2.1 – 2.5: 

Updated releases of the LSAF Java API that contain Log4j version 2.17.1 are available. As a mitigating action, download an updated version

Updating the LSAF Java API will insulate the LSAF SAS Macro API for local SAS Macro API usage. If SAS Macro API usage is confined within LSAF, downloading the Java API locally is not needed.  

SAS recommends that you evaluate your site's current usage of the Java and SAS Macro API clients to determine what additional actions are required. At a minimum, all user installations of the Java API client should be replaced. 

LSAF Upload Download and Clean Workspace 2.2.1 – 2.5:

Updated releases of the LSAF Upload Download and LSAF Clean Workspace utilities that contain Log4j version 2.17.1 are available. Contact your SAS Project Owner to request the updated utilities.

LSAF Java API and LSAF Macro API 2.2: 

SAS Life Science Analytics Framework Java API and SAS Life Science Analytics Framework Macro API 2.2 do not include log4j-core-2.x in the APIs. Protective controls in place for LSAF customers include the vulnerability mitigation steps that are described in this bulletin for SAS Cloud Solutions. 

LSAF Extensions: 

Protective controls in place for SAS Life Science Analytics Framework (LSAF) Extensions customers include the vulnerability mitigation steps that are described in this bulletin for SAS Cloud Solutions. 

SAS® Markdown Optimization

Versions 2020.1.1 and later:

To reduce risk, follow the instructions for:

Versions 8.22 through 8.24:

To reduce risk, follow the instructions for:

Versions 8.2 and 8.21:

To reduce risk, follow the instructions for:

Versions 5.2M1, 5.4, 5.41M1, and 5.41M2:

To reduce risk, follow the instructions for:

Versions 5.2M1 through 5.2M4 (SAS® Revenue Optimization):

No customer action is recommended at this time. 

These versions were built on SAS 9.3. No vulnerable versions of Log4j were delivered with SAS 9.3.

SAS® Marketing Automation

The SAS Customer Intelligence solutions do not leverage the versions of Log4j that are referenced in CVE-2021-44228. However, the affected JAR files are present in the SAS 9.4 environment.

As a precautionary, mitigating action, follow the instructions for:

SAS® Marketing Optimization

The SAS Customer Intelligence solutions do not leverage the versions of Log4j that are referenced in CVE-2021-44228. However, the affected JAR files are present in the SAS 9.4 environment.

As a precautionary, mitigating action, follow the instructions for:

SAS® Merchandise Allocation

Versions 3.4, 3.5, 3.5M1, 3.7 through 3.9, and 4.2 through 4.4:

To reduce risk, follow the instructions for:

SAS® Merchandise Planning

Versions 6.13 and earlier:

No customer action is recommended at this time.

Versions 6.5, 6.7, and 6.8:

To reduce risk, follow the instructions for:

SAS® Orchestration Adapters

This section applies to the following products:

  • SAS® Orchestration Adapter for BioCatch
  • SAS® Orchestration Adapter for Boku
  • SAS® Orchestration Adapter for DataVisor
  • SAS® Orchestration Adapter for Giact
  • SAS® Orchestration Adapter for Intellicheck
  • SAS® Orchestration Adapter for Iovation
  • SAS® Orchestration Adapter for Prove
  • SAS® Orchestration Adapter for Socure
  • SAS® Orchestration Adapter for ThreatMetrix

See the SAS Business Orchestration Services guidance (in this bulletin).

SAS® Pack Optimization

Versions 3.4, 3.41, 3.41M1, and 3.41M2:

To reduce risk, follow the instructions for:

SAS® Production Quality Analytics

On SAS Viya 2020.1 and later, this product does not include log4j-core-2.x.

As a precautionary, mitigating action, follow the instructions for:

On SAS Viya 3.5, this product does not include log4j-core-2.x.

As a precautionary, mitigating action, follow the instructions for:

On SAS 9.4M7:

A Log4j JAR file might be present in a SAS 9.4M7 installation, but none of the SAS Quality Suite solutions use it.

As a precautionary, mitigating action, follow the instructions for:

SAS® Profitability Management

Versions 2.3, 2.3M1, 2.4, and 2.4M1:

To reduce risk, follow the instructions for:

Version 2.21:

No customer action is recommended at this time. 

This version was built on SAS 9.3. No vulnerable versions of Log4j were delivered with SAS 9.3.

SAS® Promotion Optimization

Versions 5.4, 5.41M1, and 5.41M2:

To reduce risk, follow the instructions for:

Versions 5.2M1 through 5.2M4 (SAS® Revenue Optimization):

No customer action is recommended at this time. 

These versions were built on SAS 9.3. No vulnerable versions of Log4j were delivered with SAS 9.3.

SASPy: Python Interface to MVA SAS

Earlier versions of SASPy contained an unpatched version of the log4j.jar file.

Users of the SASPy open-source project should update their SASPy package to version 3.7.7 or later. The most recent SASPy library can be found at https://github.com/sassoftware/saspy or on PyPi.

SAS® Quality Analytic Suite

SAS 9.4 M7:

A Log4j JAR file might be present in a SAS 9.4M7 installation, but none of the SAS Quality Suite solutions use it.

As a precautionary, mitigating action, follow the instructions for:

SAS® Real-Time Decision Manager

The SAS Customer Intelligence solutions do not leverage the versions of Log4j that are referenced in CVE-2021-44228. However, the affected JAR files are present in the SAS 9.4 environment.

As a precautionary, mitigating action, follow the instructions for:

SAS® Real-Time Screening

Version 8.2 (including HF1 and ICF1): 

To reduce risk, follow the instructions for: 

SAS® Regular Price Optimization

Versions 5.4, 5.41M1, and 5.41M2:

To reduce risk, follow the instructions for:

Versions 5.2M1 through 5.2M4 (SAS® Revenue Optimization):

No customer action is recommended at this time. 

These versions were built on SAS 9.3. No vulnerable versions of Log4j were delivered with SAS 9.3.

SAS® Risk Management Solutions (SAS 9.4)

This section applies to the following products:

  • SAS® Asset and Liability Management
  • SAS® Credit Assessment Manager
  • SAS® Firmwide Risk Management for Insurance
  • SAS® Governance and Compliance Manager
  • SAS® Model Risk Management
  • SAS® Regulatory Content for CCAR
  • SAS® Regulatory Content for CECL
  • SAS® Regulatory Content for IFRS 9
  • SAS® Regulatory Content for IFRS 17
  • SAS® Regulatory Risk Management
  • SAS® Solution for LDTI

SAS Risk Management solutions that are based on SAS® Risk Stratum or SAS® Expected Credit Loss bundles include SAS® Risk Governance Framework 7.4.

SAS Risk Governance Framework 7.4 has a technical dependency on Log4j version 2, which makes these bundles susceptible to CVE-2021-44228.

SAS  9.4: 

To reduce risk, follow the instructions for:

Note: SAS Governance and Compliance Manager was formerly known as SAS® Enterprise GRC. If you have SAS Enterprise GRC 6.1 and have applied Hot Fix T04013 or later, you should run loguccino. Instructions are available.

SAS® Risk Management Solutions (SAS Viya)

This section applies to the following products:

  • SAS® for Model Risk Management
  • SAS® Risk Engine
  • SAS® Risk Modeling

To reduce risk, follow the instructions for:

SAS Risk Management Solutions on SAS Viya contain Solr. 

  • SAS recommends updating to at least SAS Viya 2021.2 (Long-Term Support cadence) or SAS Viya 2021.1.6 (Stable cadence) of the SAS Risk Management solution that includes Log4j 2.17.1.
  • If you cannot update immediately, you can update the configuration files to include the following temporary mitigation (as recommended by Apache). In the solr.in.sh file, add the following line: SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true"
  • Refer to the Solr Security Guide for more information about the impact of Log4j-related CVEs to Solr.

SAS® Scalable Performance Data Engine

SAS® Scalable Performance Data Engine (SPD Engine):

If you use SPD Engine with Hadoop Distributed File System (HDFS), SPD Engine acts as a Hadoop client (within the SAS session). Interactions between that client and the Hadoop environment are initiated by an outbound connection from the SAS client. No server is listening on a port for random connections that would accept arbitrary user input and then exercise the vulnerable code path. 

After you upgrade Log4j in your Hadoop cluster, rerun the Hadoop tracer script. Instructions are available. 

Note: If you use SPD Engine with a file system other than HDFS, there is no interaction between SPD Engine and Log4j, so the preceding information is not applicable.

SAS® Scoring Accelerators

SAS does not deliver any third-party JAR files with its in-database products.

This section applies to the following products:

  • SAS® Scoring Accelerator for Aster
  • SAS® Scoring Accelerator for DB2
  • SAS® Scoring Accelerator for Greenplum
  • SAS® Scoring Accelerator for Netezza
  • SAS® Scoring Accelerator for Oracle
  • SAS® Scoring Accelerator for Spark
  • SAS® Scoring Accelerator for Teradata

No customer action is recommended at this time.

This section applies to the following products:

SAS® Scoring Accelerator for Hadoop:

The instructions for configuring the Hadoop client require that the customer gather JAR files from their Hadoop deployment using the Hadoop tracer. See Obtain and Run Hadoop Tracer Script for instructions. The Hadoop tracer pulls in Log4j from the Hadoop deployment. 

Interactions between the Hadoop client (running the SAS session) and the Hadoop environment are initiated by an outbound connection from the SAS client. No server is listening on a port for random connections that would accept arbitrary user input and then exercise the vulnerable code path.

As a precautionary, mitigating action for Hadoop deployments, follow these instructions:

  • Rerun the Hadoop tracer.
  • Replace the Hadoop JAR files for the Hadoop client configuration to ensure a non-vulnerable version of Log4j is used in the code path.

SAS® Size Optimization

Versions 2020.1.1 and later:

To reduce risk, follow the instructions for:

Version 4.2:

To reduce risk, follow the instructions for:

Version 4.2:

To reduce risk, follow the instructions for:

SAS® Size Profiling

Versions 3.4, 3.41, 3.41M1, and 3.41M2:

To reduce risk, follow the instructions for:

SAS® Visual Analytics

Versions 2020.1.3 and later:

To reduce risk, follow the instructions for:

Versions 8.5, 8.5.1, and 8.5.2:

To reduce risk, follow the instructions for:

Versions 7.5 and 7.5.1:

To reduce risk, follow the instructions for:

SAS® Visual Analytics Apps

This section applies to the following products:

  • SAS® Visual Analytics App for Android
  • SAS® Visual Analytics App for iOS
  • SAS® Visual Analytics App for Windows

There are no known Log4j vulnerabilities associated with these apps.

No customer action is recommended at this time.

SAS® Visual Investigator

Versions 10.6 – 10.8:

To reduce risk, follow the instructions for:

Versions 10.4, 10.5, and 10.5.1:

To reduce risk, follow the instructions for:

Note: Prior product-specific instructions have been removed. If you previously completed those instructions, there is no need to undo those changes. 

SAS/ACCESS®

SAS/ACCESS® Interface to Hadoop, SAS/ACCESS® Interface to Impala, and SAS/ACCESS® Interface to Spark: 

Interactions between the Hadoop client (running the SAS session) and the Hadoop environment are initiated by an outbound connection from the SAS client. No server is listening on a port for random connections that would accept arbitrary user input and then exercise the vulnerable code path.

After you upgrade Log4j in your Hadoop cluster, rerun the Hadoop tracer script. See the instructions for your platform: SAS 9.4, SAS Viya 3.x, or SAS Viya 2020.1 and later.

Note: For other SAS/ACCESS interfaces, no customer action is recommended at this time.

SAS® Cloud Solutions

SAS® Cloud Solutions

There is no indication that any SAS Cloud customer environments have had an active exploit of the Log4j CVEs. This is based on the following mitigating controls applicable to SAS Cloud: (a) no unauthenticated attack vector; (b) increased surveillance and monitoring of those systems; and (c) vulnerability and log scans of the environments. As a precaution, SAS continues to implement the remediation tactics that are recommended to customers for all hosted systems. These actions are intended to ensure that all vectors of the vulnerability are appropriately remediated. A SAS representative will contact you with remediation plans that are specific to you, as the information becomes available. However, given that guidance continues to evolve for these CVEs, SAS does not expect full remediation of all SAS Cloud services to be complete until early 2022. In the interim, the mitigating controls SAS has in place, along with the fact that most customers have limited, inbound connectivity from the internet, substantially reduces the risks associated with the Log4j CVEs.

SAS reduces exposure for the solutions that it hosts by using measures such as the following:

  • Implemented network-based policy controls to block current, publicly disclosed malicious Java Naming and Directory Interface (JNDI) and LDAP attack vectors originating from the internet (12-11-2021).
  • Configured existing outbound network filters as default-deny, thus limiting the ability of the current, publicly disclosed vectors to succeed in remote code execution.

Other Products

JMP® Products

In general, JMP products are not impacted by the vulnerabilities in this bulletin.

However, if you use JMP® 16.2 or later, you might choose to take mitigating action as a purely precautionary measure. For more information, see JMP Note 68714.

Memex® Products

The version of Log4j that is used by Memex products, including Patriarch, the Memex Intelligence Engine, the Memex Mobile application, and associated integrations (such as eGuardian and RISS), is not affected by CVE-2021-44228.

IDeaS® Products

No customer action is recommended at this time.

Additional Mitigation Strategies

As mentioned above, SAS has applied mitigating controls to SAS Cloud customers. SAS recommends similar protections for customer on-premises installations:

  • Configure default-deny network filters to prevent outbound, internet communication from a potentially vulnerable system, thus preventing successful remote callback traffic. 
  • In situations where systems are required to be internet-facing, a Web Application Firewall (WAF), paired with rules tailored to this CVE, can be leveraged to help reduce the impact of such a vulnerability.
  • The major vulnerability scanning vendors (Qualys, Rapid7, and Tenable) have all released updated signatures to check for the most common attack vectors related to this vulnerability.

Security Bulletins

View other security bulletins, published as part of our formal PSIRT process.

Technical Support

Get world-class technical support via our support track system.

Samples & SAS Notes

Search our extensive Knowledge Base for code samples and SAS Notes.