SAS Remote Code Execution Vulnerability (CVE-2021-44228)

CVE-2021-44228 is a remote code execution vulnerability in Apache Log4j. 

SAS 9.4 is vulnerable to CVE-2021-44228.

VUMC IT applied the necessary Security Update to address the Log4j vulnerability on the server.

End users access the SAS server through SAS Enterprise Guide, the PC interface, and through SAS Studio, the web interface.  Enterprise Guide is not Java based and is not vulnerable to CVE-2021-44228.

PC users may also install SAS Add-In for Microsoft Office and SAS Management Console.  SAS Add-In for Microsoft Office allows you to use SAS features directly from Microsoft Outlook, Excel, Word and PowerPoint.  SAS Management Console lets you schedule jobs through OAS.  SAS Add-In for Microsoft Office is not vulnerable to CVE-2-21-44228.

SeeRemote Code Execution Vulnerability (CVE-2021-44228) for additional information.