How to patch SAS 9.4 from Log4j Vulnerabilities

Issue/Question

  • How do I patch SAS 9.4 from the Log4j Vulnerability?

Environment

  • Windows 10
  • SAS 9.4 M6+

Explanation

SAS has a Remote Code Execution Vulnerability that was identified December 2021.  The instructions in this kb will help you implement the guidance that is provided in SAS Security Bulletin: Remote Code Execution Vulnerability (CVE-2021-44228)

These instructions were modified from the Original SAS Instructions on their response.
 

Each time you perform a SAS installation activity (such as upgrading, updating, hot fixing, or adding software), repeat this process.  Repetition is necessary to ensure that installation activities do not reintroduce vulnerabilities.

Resolution

Method 1
 

Note: As of March 31st, 2022, visit https://go.documentation.sas.com/api/docsets/log4j/1.0/content/log4j.pdf?locale=en (See Page 26) for the current migitation instructions for SAS 9.4M6 and SAS 9.4M7. (For the M0, M1, M2, M3, M4, and M5 maintenance releases of SAS 9.4, no platform-level mitigation is needed.)

 

Please reference the Security Updates and Hot Fixes page for steps for patchable versions of SAS 9.4.  If they are running 9.4 M8 that should be safe by default as it uses either an updated version of log4j that is secure, or does not use log4j at all.

  1. Stop all SAS sessions, processes, services, and servers.

    Note: If you don't see any SAS related services, skip this step

    1. On Windows environments, use Windows Services to stop your SAS services.
    2. Run Services as Administrator

       
    3. Right-Click any SAS services and click Stop

       

      Note: Leave the Services Window open if you need to restart these services at the end

  2. Search your SAS Home and SAS configuration directories for any log4j-core-2.* JAR files.
    1. Browse to your SAS Home Directory, the default location is C:\Program Files\SASHome
    2. In the Search field, enter log4j-core-2.*.jar

       
    3. Right-click on one of the found search results and click Open File Location

       
    4. Copy the location to your clipboard for use in the next step
    5. Run 7-Zip File Manager as administrator

       
    6. Paste the location copied in step 4 into the address bar in 7-Zip

       
    7. Double-click the .JAR file found in step 3 and navigate to org/apache/logging/log4j/core/lookup, and delete the JndiLookup.class file.

      Note: Repeat these steps for each search result form step 2

  3. Once you have completed all of the above steps, restart all SAS services in your environment

    Note: If you didn't stop any serivces, you can skip this step

Assistance

For assistance, contact the Service Desk.