The recent news of log4j vulnerabilities is still top-of-mind for many SAS customers. We want to share with you the latest activities and findings from SAS.

For SAS customers:

Security and integrity of SAS software and Cloud hosted environments is always our top priority. In the early days of the log4j news (mid-December), the SAS teams responded swiftly. For our on-premises customers, we provided information on SAS products that were affected as well as recommended actions. SAS Viya 2021.2.2 includes an updated version of log4j. Additionally, we released a free tool (called loguccino) that you can use to detect and patch vulnerable log4j files within your SAS 9.4 and SAS Viya 3.x environments.

For our SAS Cloud hosted customers, we immediately hardened aspects of the environment that such a vulnerability could potentially exploit, including tighter network-based policy filters and increased surveillance. We have detected no evidence of attacks related to SAS software specific to these published vulnerabilities.

Upon further research, we determined that while the log4j vulnerability itself is severe, the log4j configuration and use within our SAS-hosted systems presents very limited exposure. No unauthenticated users (that is, users without existing privilege to access) can trigger the remote code execution vulnerability. Given these findings and the preventative measures already in place, we feel confident that your SAS applications and data remain secure in SAS Cloud.

For additional details please refer to the SAS Security Bulletin.

Thank you for your continued partnership in keeping your SAS environments productive and safe and thank you for being a SAS customer!

Highlights from the security bulletin

• To receive notifications about bulletin updates, subscribe to the Updates on log4j Remote Code Execution Vulnerability (CVE-2021-44228) topic on SAS Support Communities or follow this RSS feed.
• In an effort to provide an audited and automated approach for customers, SAS has developed a vulnerability patch script called loguccino. Loguccino is a tool that is similar to logpresso but customized for SAS software. The tool is specifically designed to remediate 9.4 and SAS Viya 3 environments and recursively searches for vulnerable log4j jar files, removes the JndiLookup class, and repackages the JAR without the vulnerability.
• The bulletin describes the plans and timelines for SAS to deliver updated versions of log4j in its software.
• The continuous and ongoing investigation SAS has made into the use of Log4j within the SAS Viya 2020.1, SAS Viya 3.5, SAS Viya 3.4 platform and the SAS 9 SAS Logon process has concluded that, given the community understanding of CVE-2021-44228, unauthenticated remote code execution (RCE) exploits are not possible at this time.
• The major vulnerability scanning vendors (Qualys, Rapid7, and Tenable) have all released updated signatures to check for the most common attack vectors related to this vulnerability.

As a reminder, you can always find the latest security bulletins from SAS on our Support website.

This post was originally published on December 13, 2021. It has been updated to include new messages and recent highlights from the SAS security bulletin.