Problem Note 52725: An OpenSSL Heartbleed vulnerability exists in SAS® 9.4 Web Server
 |  |  |  |  |
SAS 9.4 Web Server includes OpenSSL 1.0.1c, which contains the Heartbleed vulnerability that is described in the following documents:
- http://www.kb.cert.org/vuls/id/720951
- http://www.us-cert.gov/ncas/alerts/TA14-098A
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
Note: SAS 9.4 Web Server is part of the SAS® 9.4 Integration Technologies middle tier. The web server is included with SAS® BI Server, SAS® Enterprise BI Server, SAS® Visual Analytics, and any SAS® solution that includes a middle tier.
Click the Hot Fix tab in this note to access the hot fix for this issue.
Verifying the Fix
After you apply the hot fix, you can verify that the fixed version of OpenSSL is being used by restarting SAS 9.4 Web Server and examining the error.log file, which is located in the following directory:
[Tue Apr 18 14:37:06 2014] [info] mod_ssl/2.2.23 compiled against Server: Apache/2.2.23, Library: OpenSSL/1.0.1g-fips [Tue Apr 18 14:37:06 2014] [notice] Apache/2.2.23 (Unix) vFabric/5.2.0 vFabricLicense/5.2.0 mod_ssl/2.2.23 OpenSSL/1.0.1g-fips DAV/2 mod_bmx/0.9.4 configure resuming normal operations
Further Steps
After you patch and restart all of your servers, you should review your systems for what might have been compromised and take the appropriate steps. For example, you might need to provide new keys and certificates, revoke old server certificates, change any passwords, or close any long–running sessions. Work with your security team to analyze all security changes that are required by your systems.
You might also want to periodically check the links that are listed above for up-to-date information about any known impact of the vulnerability.
Operating System and Release Information
| Product Family | Product | System | Product Release | SAS Release | ||
| Reported | Fixed* | Reported | Fixed* | |||
| SAS System | SAS Web Server | Microsoft® Windows® for x64 | 9.4 | 9.4 | 9.4 TS1M0 | 9.4 TS1M2 |
| 64-bit Enabled AIX | 9.4 | 9.4 | 9.4 TS1M0 | 9.4 TS1M2 | ||
| 64-bit Enabled Solaris | 9.4 | 9.4 | 9.4 TS1M0 | 9.4 TS1M2 | ||
| HP-UX IPF | 9.4 | 9.4 | 9.4 TS1M0 | 9.4 TS1M2 | ||
| Linux for x64 | 9.4 | 9.4 | 9.4 TS1M0 | 9.4 TS1M2 | ||
| Solaris for x64 | 9.4 | 9.4 | 9.4 TS1M0 | 9.4 TS1M2 | ||
A fix for this issue for SAS Web Server 9.4_M1 is available at:
https://tshf.sas.com/techsup/download/hotfix/HF2/S48.html#52725A fix for this issue for SAS Environment Manager 2.1_M1 is available at:
https://tshf.sas.com/techsup/download/hotfix/HF2/S44.html#52725A fix for this issue for SAS Environment Manager 2.1 is available at:
https://tshf.sas.com/techsup/download/hotfix/HF2/S43.html#52725A fix for this issue for SAS Web Server 9.4 is available at:
https://tshf.sas.com/techsup/download/hotfix/HF2/S46.html#52725| Type: | Problem Note |
| Priority: | alert |
| Date Modified: | 2014-04-17 10:29:37 |
| Date Created: | 2014-04-09 15:41:04 |