SAS has issues remediating steps for its products but specifically for SAS 9.4 TS1M6 & M7, found here: https://bit.ly/3e4UZTs
We found that if SAS clients are installed on the client machines, the log4j-core-2.*.jar files are also present. We found it to be more efficient for the end users to run a search and remove the JndiLookup.class by themselves.
The SAS end users would need to
Search for the log4j-core-2.*.jar from their C:\ drive
Have a zip utility like WinZip and or 7.z or other zip utility
Only do this for version 2.1 or earlier. Do not select 2.11 or higher.
Following are step by step set of instructions
On client machine, navigate to C drive and run a search for log4j-core-2.*.jar
Figure 1: Ensure the install location shows SASHome and ver. 2.1 for the Jar file.
Right click on a Jar file and select ‘Open File Location’
Find the target Jar file and right click
Use any zip utility, we have 7z, right click and select open archive
Note the path: org/apache/logging/log4j/core/lookup
Right click on JndiLookup.class and select delete then close the archive
Close archive and save in the same location
Continued with another Jar file
Note:
In some cases, your access will be restricted to Delete and or save the jar file after deletion. Follow steps 1 to 4, copy the Jar file to download or some other temp location and complete steps 5 & 6 and as an added step cut and paste back to the file location where the original Jar file was copied from.