?? Patching /opt/sas/sashome/SASEnvironmentManager/2.5/installs/hypericsvr_lax_2.5_M3_HFE8M004/SASHome/xx/SASEnvironmentManager/2.5/server-5.8.0.tar.gz::server-5.8.0-EE/hqapi1-client-6.0.2/lib/log4j-core-2.11.1.jar ? null ? null ? null ? null ? null ? null ? null ? null ? null ? null ERROR: Error while patching : java.io.IOException: This archive contains unclosed entries. at org.apache.commons.compress.archivers.tar.TarArchiveOutputStream.finish(TarArchiveOutputStream.java:291) at com.sas.vulnerabilities.utils.ArchiveCompressUtils.compressArchive(ArchiveCompressUtils.java:108) at com.sas.vulnerabilities.patcher.SequentialPatcher.packageNextArchive(SequentialPatcher.java:38) at com.sas.vulnerabilities.patcher.SequentialPatcher.packageNextArchive(SequentialPatcher.java:41) at com.sas.vulnerabilities.patcher.SequentialPatcher.patchSingleCVE(SequentialPatcher.java:58) at com.sas.vulnerabilities.patcher.SequentialPatcherInventoryTask.runSingleCveInventoryPath(SequentialPatcherInventoryTask.java:68) at com.sas.vulnerabilities.patcher.SequentialPatcherInventoryTask.run(SequentialPatcherInventoryTask.java:93) at lukfor.progress.tasks.Task.call(Task.java:39) at lukfor.progress.tasks.Task.call(Task.java:1) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) at com.oracle.svm.core.thread.JavaThreads.threadStartRoutine(JavaThreads.java:519) at com.oracle.svm.core.posix.thread.PosixJavaThreads.pthreadStartRoutine(PosixJavaThreads.java:192)

It seems like the scan option doesn't work if you specify a symlink. For example if I have the home path specified as /sso/sfw/sas/940M6 where 940M6 is a symlink to 940A, it appears to run but doesn't actually scan anything. If I run it directly on 940A it works as expected.

I’m traying to fix the log4j vulnerability in Viya 3.5 environment on Linux. It only found one jar, however when I run it to fix it, I get the error: Error while patching : java.nio.file.FileSystemException: ./loguccino-patch-27122021120042/inventoryOriginals/0/opt/sas/viya/home/libexec/cachelocator-service-1.25.14.jar: Operation not permitted

I have been running both with the user who owns the jar and with the installer user but in both cases the error is the same.

Should the patch be run with a specific user?

Sasviya 3.5 After patched sas-viya-cachelocator-default service can't not start

see the error message https://imgur.com/a/mfVRVUz

https://imgur.com/a/YOUcN2J

C:\Program Files\SASHome\SASDeploymentManager\9.4\products\cfgwizard__94550__prt__xx__sp0__1\Utilities\AppServer\Source\Config\vfabrictcsvr\gemfire.zip::gemfire/lib/log4j-core-2.1.jar C:\Program Files\SASHome\SASDeploymentManager\9.4\products\cfgwizard__94550__prt__xx__sp0__1\Utilities\AppServer\Source\Config\vfabrictcsvr\jars\gemfire\log4j-core-2.1.jar

Java error: ERROR: Error while patching : java.nio.file.AccessDeniedException: C:\Program Files\SASHome\SASDeploymentManager\9.4\products\cfgwizard__94550__prt__xx__sp0__1\Utilities\AppServer\Source\Config\vfabrictcsvr\jars\gemfire\log4j-core-2.1.jar -> .\loguccino-patch-08012022144324\inventoryOriginals\0\C\Program Files\SASHome\SASDeploymentManager\9.4\products\cfgwizard__94550__prt__xx__sp0__1\Utilities\AppServer\Source\Config\vfabrictcsvr\jars\gemfire\log4j-core-2.1.jar at sun.nio.fs.WindowsException.translateToIOException(Unknown Source) at sun.nio.fs.WindowsException.rethrowAsIOException(Unknown Source) at sun.nio.fs.WindowsFileCopy.move(Unknown Source) at sun.nio.fs.WindowsFileSystemProvider.move(Unknown Source) at java.nio.file.Files.move(Unknown Source) at com.sas.vulnerabilities.patcher.SequentialPatcherInventoryTask.runSingleCveInventoryPath(SequentialPatcherInventoryTask.java:81) at com.sas.vulnerabilities.patcher.SequentialPatcherInventoryTask.run(SequentialPatcherInventoryTask.java:93) at lukfor.progress.tasks.Task.call(Task.java:39) at lukfor.progress.tasks.Task.call(Task.java:1) at java.util.concurrent.FutureTask.run(Unknown Source) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source) INFO: Patch results written to CSV file: C:\Users\Simon\scan\loguccino-patch-08012022144324\patch.csv

sudo /sso/sfw/loguccino/loguccino_scan.sh env: /bin/ldapsearch: No such file or directory

Is ldapsearch a requirement?

When I pointed to a version of ldapsearch, it didn't seem to like the version. /bin#> sudo ln -s /opt/quest/bin/ldapsearch ldapsearch /loguccino#> sudo /sso/sfw/loguccino/loguccino_scan.sh ldapsearch: -D not supported in VAS version, please use -u instead

You need to use --no-compress option in command line for Viya 3.x as documented in SAS documentation, so please can you align GitHub documentation path-to-bin-java -jar loguccino-version.jar patch --no-compress path-to-myOutput.csv

I am unable to download the Linux Binary for loguccino. The link seems to be broken as given on the software download Page

Link : https://github.com/sassoftware/loguccino/releases/download/v3.0.0/loguccino

The SAS documentation* refers to this repo, but the repo is empty. *https://go.documentation.sas.com/doc/en/log4j/1.0/n0emauiusfguyrn1wt2djefsqgtu.htm

This is a suggestion that the tool automatically detect nested jar files and reapply the same so that --no-compress is not necessary. This will reduce the chances of mistakes being made that would result in impactful production outages and then urgent escalated calls for support.

I have about 20 machines that are running SAS 9.4 that need to be patched. Is there a way to possibly automate the scan/patch operations? I would like to deploy this patch via GPO script.

Please explain better how the patching mechanism works.

For example...does it:

1. copy the vulnerable archive/file
2. Expand it in the patching directory
3. Patch it
4. re-archive the patched version
5. copy the patched version into place of the vulnerable archive/file in the deployment
6. In the patched directory, the copy of the original (vulnerable) file/archive remains

We want to be clear about what is being left behind here and in what state so folks can determine whether/when it's safe to delete any content that contains the vulnerability.

Thanks!

While using the latest version of the loguccino utility (v3.1.0) i am noticing that the tar.gz files are not being read. The log shows following Error

14:23:09.880 ERROR: Could not scan file: /app/SAS/9.4_config/meta/Lev1/Web/SASEnvironmentManager/agent-5.8.0-EE/bundles/agent-5.8.0/product_connectors/rt-1.0.2.tar.gz. The exception was java.nio.charset.MalformedInputException: Input length = 1

14:23:09.880 ERROR: Could not scan file: /app/SAS/9.4_config/meta/Lev1/Web/SASEnvironmentManager/agent-5.8.0-EE/bundles/agent-5.8.0/product_connectors/snmp-1.0.2.tar.gz. The exception was java.nio.charset.MalformedInputException: Input length = 1

After testing I saw issues with tar.gz files not being readable. I updated archive utils to follow the example from https://commons.apache.org/proper/commons-compress/examples.htm

As far as I can tell this has fixed the issue.