SAS plans to make a recommendation and provide detailed instructions for removing the offending JndiLookup.class file from impacted log4j.jar files. SAS has not seen this action have a negative impact on product functionality during testing. Once this recommendation is available, it will supersede any need for applying the system parameters because it will cover all issues raised by the original and subsequent CVEs.
If used, the SAS® Installation Qualification Tool will report failures in its summary after the JndiLookup.class file is removed from Log4j JAR files. In addition, the details of the report show checksums of the modified Log4j2.jar files that do not match the checksums of the originally installed files.
SAS® 9.4M5 (TS1M5) and earlier
Under active review.
SAS plans to make a recommendation and provide detailed instructions for removing the offending JndiLookup.class file from impacted log4j.jar files. SAS has not seen this action have a negative impact on product functionality during testing. Once this recommendation is available, it will supersede any need for applying the system parameters because it will cover all issues raised by the original and subsequent CVEs.
If used, the SAS® Installation Qualification Tool will report failures in its summary after the JndiLookup.class file is removed from Log4j JAR files. In addition, the details of the report show checksums of the modified Log4j2.jar files that do not match the checksums of the originally installed files.