Remote Code Execution Vulnerability (CVE-2021-44228)

Reference Name: Remote Code Execution Vulnerability (CVE-2021-44228)
Severity: Critical
Status: Under Investigation

History

Next update expected: 12-15-2021 (by 9:00 PM EST)

• 12-15-2021 (1:00 PM EST) - Additional information about Memex® products, where to obtain updated signatures, and how to subscribe to bulletin updates 
• 12-14-2021 (8:00 PM EST) – Minor corrections within the Security Bulletin page, along with a "next update expected" announcement
• 12-14-2021 (3:00 PM EST) – Updates within the Security Bulletin page, including information about related vulnerabilities, links to instructions for SAS® Viya® 3.4 and SAS® Viya® 3.5, and evaluations and recommendations for SAS platforms, cloud solutions, and products 
• 12-13-2021 – Updates made to Security Bulletin page regarding product impacts, given that public guidance has concluded that more recent Java versions cannot be considered as mitigating controls against this vulnerability; clarification of vulnerability and response efforts
• 12-12-2021 – Initial solution and mitigation steps added
• 12-11-2021 – Security Bulletin published
• 12-09-2021 – Initial acknowledgment and investigation started

Impact

SAS is investigating the remote code execution vulnerability (CVE-2021-44228) initially disclosed on December 9, 2021 in the Apache Log4j Java logging library. The vulnerability is also known as Log4Shell. It is rated with the highest CVSS base score of 10.0 / Critical. If exploited, it could potentially allow a remote unauthenticated attacker who can control log messages or log message parameters to execute arbitrary code loaded from LDAP servers and take complete control of the system. The vulnerability affects Log4j versions 2.0 through 2.14.1.

Description

Log4j is an open-source, Java based logging framework widely used in commercial and open-source software products to keep a record of activity within an application. As soon as SAS learned about this vulnerability, its security and R&D teams began detection and evaluation activities, methodically examining log files for any services using affected Log4j versions related to its software products and SAS® Cloud solutions. In addition, SAS contacted its security vendors for identification and assessment of third-party products used in its solutions. 

R&D is actively working on hot fixes to update the Log4j version where necessary. Additional technical information and guidance will be regularly published to this bulletin as SAS continues to perform assessments of this vulnerability.

Related Vulnerabilities

SAS is also aware of the following related vulnerabilities. The R&D and security teams are triaging these for exposure and resolution.

SAS Guidance

The following is the current SAS guidance on its products and services:

SAS® Platforms

• SAS® Viya® 2020.1 and later
  • The predominant logging mechanism that is used in the product does not involve Log4j. There are instances of Log4j in the product. However, most of those instances are bypassed by other logging mechanisms. SAS cannot say definitively at this time that there is no exposure, but the attack surface is significantly reduced. SAS is working diligently to reduce risk through proper mitigation. SAS will continue to communicate any further guidance as quickly as possible.
• SAS® Viya® 3.5
  • SAS is recommending that the log4j2.formatMsgNoLookups system property be set to true, as documented in the CVE. Refer to Remediation for Remote Code Execution Vulnerability (CVE-2021-44228) for instructions.
• SAS® Viya® 3.4
  • SAS is recommending that the log4j2.formatMsgNoLookups system property be set to true, as documented in the CVE. Refer to Remediation for Remote Code Execution Vulnerability (CVE-2021-44228) for instructions.
• SAS®  9.4M7 (TS1M7) 
  • SAS will be recommending that the log4j2.formatMsgNoLookups system property be set to true, as documented in the CVE. SAS is working on instructions and will link to them when published. Setting this property reduces the extent of the exposure.
• SAS®  9.4M6 (TS1M6) and earlier releases 
  • Under active review.

SAS® Cloud Solutions

• Implemented network-based policy controls to block current, publicly disclosed malicious Java Naming and Directory Interface (JNDI) and LDAP attack vectors originating from the internet (12-11-2021).
• Existing outbound network filters are configured as default-deny, thus limiting the ability of the current, publicly disclosed vectors to succeed in remote code execution.

SAS® Products and Solutions

Product or SolutionEvaluation or RecommendationSAS® Customer Intelligence 360Protective controls that are already in place for SAS Customer Intelligence 360 customers include the network configuration, version of Java, and limited exposure to Log4j. Out of an abundance of caution, a scheduled maintenance on December 15, 2021, will complete the remediation that is recommended for this vulnerability.

JMP® Products

• JMP® products are not impacted by this vulnerability.

Memex® Products

All Memex products use Apache Log4j, but the version of Log4j that they use is not affected by the vulnerability. The Memex products include Patriarch and the Memex Intelligence Engine, and associated integrations, such as eGuardian and RISS.

Additional Mitigation Strategies

As mentioned above, SAS has applied mitigating controls to SAS Cloud customers and has recommended similar protections for customer on-premises installations:

• Configure default-deny network filters to prevent outbound, internet communication from a potentially vulnerable system, thus preventing successful remote callback traffic. 
• In situations where systems are required to be internet-facing, a Web Application Firewall (WAF), paired with rules tailored to this CVE, can be leveraged to help reduce the impact of such a vulnerability.
• The major vulnerability scanning vendors (Qualys, Rapid7, and Tenable) have all released updated signatures to check for the most common attack vectors related to this vulnerability.

Update Notifications

To receive notifications about bulletin updates, subscribe to the Updates on log4j Remote Code Execution Vulnerability (CVE-2021-44228) Communities topic.