SAS Security Update for SAS 9.4M7 (TS1M7) – Critical

Multiple third-party security vulnerabilities within the SAS^® product suite are addressed in the SAS security update for SAS 9.4M7, a software security update. Since security updates are cumulative, the most recent update need be applied.  6-21-2021 is the latest release available.

Vulnerabilities Addressed:

CVE-2014-3603 Detail

The (1) HttpResource and (2) FileBackedHttpResource implementations in Shibboleth Identity Provider (IdP) before 2.4.1 and OpenSAML Java 2.6.2 do not verify that the server hostname matches a domain name in the subject’s Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CVE-2015-1796 Detail

The PKIX trust engines in Shibboleth Identity Provider before 2.4.4 and OpenSAML Java (OpenSAML-J) before 2.6.5 trust candidate X.509 credentials when no trusted names are available for the entityID, which allows remote attackers to impersonate an entity via a certificate issued by a shibmd:KeyAuthority trust anchor.

CVE-2018-11797 Detail

In Apache PDFBox 1.8.0 to 1.8.15 and 2.0.0RC1 to 2.0.11, a carefully crafted PDF file can trigger an extremely long running computation when parsing the page tree.

Note: Those vulnerabilities that are in “Modified” state, that is are under review for analysis re not listed here.

Solution

Access https://tshf.sas.com/techsup/download/hotfix/HF2/SAS_Security_Updates.html to download latest security release and follow the directions provided.