SAS Security Update for SAS 9.4M7 (TS1M7) – Critical
Multiple third-party security vulnerabilities within the SAS® product suite are addressed in the SAS security update for SAS 9.4M7, a software security update. Since security updates are cumulative, the most recent update need be applied. 6-21-2021 is the latest release available.
The (1) HttpResource and (2) FileBackedHttpResource implementations in Shibboleth Identity Provider (IdP) before 2.4.1 and OpenSAML Java 2.6.2 do not verify that the server hostname matches a domain name in the subject’s Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
The PKIX trust engines in Shibboleth Identity Provider before 2.4.4 and OpenSAML Java (OpenSAML-J) before 2.6.5 trust candidate X.509 credentials when no trusted names are available for the entityID, which allows remote attackers to impersonate an entity via a certificate issued by a shibmd:KeyAuthority trust anchor.
In Apache PDFBox 1.8.0 to 1.8.15 and 2.0.0RC1 to 2.0.11, a carefully crafted PDF file can trigger an extremely long running computation when parsing the page tree.
Note: Those vulnerabilities that are in “Modified” state, that is are under review for analysis re not listed here.