search cancel

Security Advisory warning of an Apache Log4j vulnerability; any impact to MICS ?

book

Article ID: 230374

calendar_today

Updated On:

Products

MICS Resource Management

Issue/Introduction

Security advisory Log4J vulnerability.

Environment

Release : 14.3

Component : MICS BASE SET

Resolution

MICS is not impacted by this vulnerability but we're noting to customers they should update their web servers. 
 
Also worth noting is that SAS also issued a Security Advisory but the SAS products we use are not impacted by it.
 

Additional Information

SAS updated the Security Advisory in mid-December::
 
 
SAS 9.4M7 is impacted and they are now investigating the older maintenance releases.
 
 
SAS updated the vulnerability list on 12/15 to include SAS 9.4 to the list of of products impacted:
  • SAS®  9.4M7 (TS1M7) and SAS®  9.4M6 (TS1M6) 
    • SAS is recommending that the log4j2.formatMsgNoLookups system property be set to true, as documented in the CVE. Refer to Remediation for Remote Code Execution Vulnerability (CVE-2021-44228) for instructions.
    • SAS plans to make a recommendation and provide detailed instructions for removing the offending JndiLookup.class file from impacted log4j.jar files. SAS has not seen this action have a negative impact on product functionality during testing. Once this recommendation is available, it will supersede any need for applying the system parameters because it will cover all issues raised by the original and subsequent CVEs.
    • If used, the SAS® Installation Qualification Tool will report failures in its summary after the JndiLookup.class file is removed from Log4j JAR files. In addition, the details of the report show checksums of the modified Log4j2.jar files that do not match the checksums of the originally installed files. 
  • SAS®  9.4M5 (TS1M5) and earlier
    • Under active review.
    • SAS plans to make a recommendation and provide detailed instructions for removing the offending JndiLookup.class file from impacted log4j.jar files. SAS has not seen this action have a negative impact on product functionality during testing. Once this recommendation is available, it will supersede any need for applying the system parameters because it will cover all issues raised by the original and subsequent CVEs.
    • If used, the SAS® Installation Qualification Tool will report failures in its summary after the JndiLookup.class file is removed from Log4j JAR files. In addition, the details of the report show checksums of the modified Log4j2.jar files that do not match the checksums of the originally installed files.