(Oct 2024) SAS Administration – LOG4J in SAS 9.4TS1M8
SAS has addressed the usage of Log4j v1 in the SAS 9.4M7 release with a security update. If you use SAS 9.4M7 or an earlier SAS 9.4 release, SAS recommends that you update to SAS 9.4M8 or later. As always, SAS recommends that you keep your SAS deployments up to date. The current version of the SAS®9 platform is SAS 9.4M8 (TS1M8).
After updating to SAS 9.4 TS1M8, some customer still report their security scanning tools flag LOG4J (log4j-1.15.1.jar) for example:
\SASHome\SASVersionedJarRepository\eclipse\plugins\Geode_Full_1.15.1.0_SAS_20231023074409\geode-log4j-1.15.1.jarAccording to Technical Support it is a false positive. geode-log4j-1.15.1.jar is not log4j, but of the Geode software and the version number is the version number of Geode, not log4j.
Read more: https://support.sas.com/content/support/en/security-bulletins/log4j-v1-vulnerabilities.html (February 2023)