SAS is conducting an ongoing investigation into its use of Log4j. The scope of the investigation is as follows: SAS 9. At this time, the results of the investigation are as follows:.
As the security community's understanding of Log4j vulnerabilities evolves, and SAS continues its investigation, SAS will address any new findings and surface concerns to customers.
Here is a summary of SAS activities in support of industry-standard mitigation and remediation measures:. Measure: In your deployment, remove the JndiLookup class from vulnerable versions of Log4j v2.
You must re-apply this measure after each deployment-related activity hot fix, update, or addition of software. Note: Third-party scanning tools often base their results on the version information of the JAR file and do not account for JAR files that have been patched in this manner. You might continue to see false positives depending on how your tool is designed to detect remediation.
When you use this measure, you do not need to undo any previous measures. Here are details by SAS platform:. Note: Loguccino is similar to logpresso but customized for SAS software. SAS appreciates the excellent work of the logpresso team. This measure is the primary and definitive mitigation for Log4j v2 vulnerabilities. In this measure, you update your SAS software as patches and new versions become available.
SAS recommends that you use this measure as soon as the SAS software updates that you need are available. Note: 2.
In each update in the preceding list, SAS intends to include the version of Log4j v2 that is most recent and has the least security risk. Note: In addition to following any applicable platform-level instructions, all customers should follow any applicable product-level guidance. All customers should follow the relevant platform guidance in the preceding section.
For any supported SAS 9. Because other applications in the SAS 9. Then, as a precautionary, mitigating action, follow the instructions for:. In SAS 9. As a precautionary, mitigating action, follow the instructions for:. As fixes for underlying software are released, patching will further mitigate the risk of this vulnerability. However, it does not use any of the classes or methods described in this CVE. These versions were built on SAS 9. No vulnerable versions of Log4j were delivered with SAS 9.
Protective controls that are already in place for SAS Customer Intelligence customers include the network configuration, version of Java, and limited exposure to Log4j.
Out of an abundance of caution, a scheduled maintenance on December 15, , completed the remediation that was recommended for this vulnerability, including removing the JndiLookup. Out of an abundance of caution, a scheduled maintenance on December 15, , completed the remediation that is recommended for this vulnerability, including removing the JndiLookup.
No server is listening on a port for random connections that would accept arbitrary user input and then exercise the vulnerable code path. After you upgrade Log4j in your Hadoop cluster, rerun the Hadoop tracer script.
Instructions are available. The hot fix updates the Log4j version to 2. Therefore, these versions would not be vulnerable to CVE The instructions for configuring the Hadoop client require that the customer gather JAR files from their Hadoop deployment using the Hadoop tracer. The Hadoop tracer pulls in Log4j from the Hadoop deployment. SAS Enterprise Guide is not impacted. SAS recommends that you upgrade to the latest patch release for the version of the agent s that you are running.
These releases will upgrade the Log4j version that is used by the agent s to 2. One component, the Event Stream Processing Metering server, delivered in the 6. This application creates a logger but does not use it. SAS has high confidence that this application is safe.
For ultimate security, it is recommended to not start the Event Stream Processing Metering server. Designed for dynamic data visualization and analytics on the desktop, JMP enables data access and processing; statistical analysis; design of experiments; multivariate analysis; quality and reliability analysis; scripting; graphing and charting.
It helps you see and explore data, spot relationships and trends, and dig into areas of interest. It links advanced statistics and graphics, creates reports from CDISC data, and helps reviewers migrate into the modern review environment.
Ready to create models from your data? These resources are a good place to start. Getting started with JMP is easy. Use these resources to get the most out of JMP, right from the start. The JMP Knowledge Base aka JMP Notes contains information on known problems Problem Notes associated with the software, common user errors, undocumented features, and circumventions and fixes for problems. Be part of the SAS community. We offer a variety of ways for you to interact with users and experts.
Learn JMP technology quickly and efficiently by taking a course from the analytics experts. Develop core competency in applied problem-solving with data and statistics. In this course you'll learn how to map a process, define and scope your project, describe data with graphics and use interactive visualizations to find and communicate the story in your data. Learn world-class capabilities for statistics and visualizations for Genetic and all kinds of Omics data.
Clinical data analysis software that shortens the drug development process by streamlining the analysis and reporting of clinical trials data. Genomic data analysis software that allows researchers to visualize, explore and understand vast genomics data sets.
Marine biologists use predictive modeling to develop strategies for coral reef conservation. At WildTrack, conservation biologists use footprint data to monitor endangered species. More customer stories. Which JMP product is right for you? Explore data more fully with powerful statistics.
Discover meaningful findings by digging deeper into your data.
0コメント