SAS Security Updates have been released for Log4j version 2 remediation in the SAS^® 9.4M6 (TS1M6) and SAS^® 9.4M7 (TS1M7) releases. The updates are dated 2022-03 (or newer) and are on the SAS Security Updates and Hot Fixes page. Before installing these updates, review the guidelines in this SAS KB Article. 

Testing at SAS has identified dependencies between the SAS Fraud Management hot fixes and a Base SAS^® fix in the SAS Security Update 2022-03. This table lists the version combinations addressed in this article.
 

SAS Fraud Management Version	Base SAS Version	SAS Fraud Management Hot Fix*	Base SAS Fix*	Installation Notes
6.1	SAS 9.4M7	Hot Fix 9 or later	SAS Security Update 2022-03 or later	Install the SAS Fraud Management hot fix first, immediately followed by the SAS Security Update.
6.1	SAS 9.4M6	Hot Fix 9 or later	SAS Security Update 2022-03 or later	Install the SAS Fraud Management hot fix first, immediately followed by the SAS Security Update.
5 (4.4M1)	SAS 9.4M6	Hot Fix 10 or later	SAS Security Update 2022-03 or later	Install the SAS Fraud Management hot fix first, immediately followed by the SAS Security Update.
5 (4.4M1)	SAS® 9.4M5 (TS1M5)	Hot Fix 10 or later	Not applicable	No Log4j v2 remediation is provided for Base SAS in SAS 9.4M5.
4.3 or earlier	SAS® 9.4M3 (TS1M3) or earlier	Not applicable	Not applicable	No Log4j v2 remediation is provided for Base SAS in SAS 9.4M3 or earlier.

*Important:  All fixes are cumulative. Installation time depends on the current hot-fix levels of SAS Fraud Management and of Base SAS in your environment.  

 

The release dates for the fixes are listed below. 

Hot Fix	Release Date
SAS Fraud Management 6.1 Hot Fix 9	April 28, 2022
SAS Fraud Management 5 (4.4M1) Hot Fix 10	April 28, 2022
SAS Security Update 2022-03	March 31, 2022

 

If you are using SAS Fraud Management 6.1 and are currently running Base SAS on SAS 9.4M7, take these steps:

• Install Hot Fix 9 for SAS Fraud Management 6.1 first; then immediately install the SAS Security Update 2022-03 package. 
• Installing these two update packages at different times will result in the SAS Fraud Management solution being inoperable. 
• You cannot install one package without the other.

If you are using SAS Fraud Management 6.1 and are currently running Base SAS on SAS 9.4M6, take these steps:

• Install Hot Fix 9 for SAS Fraud Management 6.1 first; then immediately install the SAS Security Update 2022-03 package.
• Installing these two update packages at different times will result in the SAS Fraud Management solution being inoperable.
• You cannot install one package without the other.

If you are using SAS Fraud Management 5 (4.4M1) and are currently running Base SAS on SAS 9.4M6, take these steps:

• Install Hot Fix 10 for SAS Fraud Management 5 (4.4M1) first; then immediately install the SAS Security Update 2022-03 package.
• Installing these two update packages at different times will result in the SAS Fraud Management solution being inoperable.
• You cannot install one package without the other.

If you are using SAS Fraud Management 5 (4.4M1) and are currently running Base SAS on SAS 9.4M5, take these steps:

• Install Hot Fix 10 for SAS Fraud Management 5 (4.4M1).
• There are no planned Base SAS fix packages.
• Log4j v2 remediation is included only for the SAS Fraud Management solution.

SAS Fraud Management 4.3 and all earlier versions are in Limited Support status, and there will be no remediation for Log4j v2.

These fixes do not address Log4j version 1, as noted in the SAS Security Bulletin.  

If you have additional questions or encounter an issue while installing these fixes, send a support request to frdmgmtsupport@sas.com.