CVE-2021-44228 (Log4Shell Log4j) vulnerability in JMP® products

JMP products use Java to connect to SAS^® applications on remote systems. The Log4j file is used only in the SAS^® Integration Technologies option that is used to connect JMP to SAS. If this option was not checked during installation (the default selection is unchecked), Log4j files should not be present on the system.

JMP® 18.0

Java support has been removed in JMP 18. No Log4j vulnerability is present in this version.

JMP® 17.0

This version of JMP is running the Log4j version 2.17.2, which is listed as the fixed version and is not subject to the exploit.

JMP® 16.1 and earlier

This section includes JMP^® Genomics 10.1 and earlier, and JMP^® Clinical 8.1 and earlier products, which are not impacted by the CVE-2021-44228 (Log4Shell) vulnerability because of the following reasons, referenced in CVE-2021-4104:

In JMP^® 16, the Java Runtime Environment protects against the message vulnerability because JMP software uses Java 11.
In all versions of JMP, the necessary configuration file to enable the message passing operation is not provided.
In JMP 16.1 and older, the Log4j version is 1.x, which predates the vulnerability.

JMP® 16.2

JMP 16.2 was in the final stages of release testing when the Log4j security issue was discovered. JMP 16.2 uses Log4j 2.15.0.

Security software and code scanners will report JMP 16.2 as vulnerable because it uses Log4j 2.15.0, which is vulnerable to CVE-2021-45105 and CVE-2021-45046:

CVE-2021-45105 (5.9 Medium severity): Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. This vulnerability could allow an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0.
CVE-2021-45046 (9.0 Critical severity): It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain nondefault configurations. When the logging configuration uses a nondefault Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map input data could craft malicious input data using a JNDI Lookup pattern, resulting in an information leak and remote code execution in some environments and local code execution in all environments; remote code execution has been demonstrated on MacOS, Fedora, Arch Linux, and Alpine Linux.

JMP 16.2 should not be vulnerable to CVE-2021-45046 because the default configuration is used, but it is potentially vulnerable to CVE-2021-45105. Because JMP uses a standard implementation and runs only when initiating a connection to SAS (after which it is shut down), JMP should not be vulnerable to CVE-2021-45105.

However, if you installed SAS Integration Technologies to enable JMP to connect to SAS and you desire a mitigating solution, you can un-install SAS Integration Technologies from JMP.

To un-install SAS Integration Technologies:

Windows

In the search box on the task bar, type Control Panel and select it from the results.
Select Programs ► Programs and Features.
Right-click JMP and select Change or Modify.
When the JMP Options window appears, un-check Integration Technologies and click Apply.

A reboot might be required.

Mac OS

Apple seals its application packages, so it is not possible to remove the Log4j files without corrupting the installation. For this reason, it is recommended that you downgrade to JMP 16.1.

For more information, see the official SAS Statement Regarding Remote Code Execution Vulnerability.

If you need additional assistance or have more questions, contact JMP Technical Support.

[Previously JMP Note 68714]