SAS 9.4 Web Server includes OpenSSL 1.0.1c, which contains the Heartbleed vulnerability that is described in the following documents:

• http://www.kb.cert.org/vuls/id/720951
• http://www.us-cert.gov/ncas/alerts/TA14-098A
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160

Note: SAS 9.4 Web Server is part of the SAS^® 9.4 Integration Technologies middle tier. The web server is included with SAS^® BI Server, SAS^® Enterprise BI Server, SAS^® Visual Analytics, and any SAS^® solution that includes a middle tier.

Click the Hot Fix tab in this note to access the hot fix for this issue.

Verifying the Fix

After you apply the hot fix, you can verify that the fixed version of OpenSSL is being used by restarting SAS 9.4 Web Server and examining the error.log file, which is located in the following directory:

[Tue Apr 18 14:37:06 2014] [info] mod_ssl/2.2.23 compiled against Server: Apache/2.2.23, Library: OpenSSL/1.0.1g-fips
[Tue Apr 18 14:37:06 2014] [notice] Apache/2.2.23 (Unix) vFabric/5.2.0 vFabricLicense/5.2.0 mod_ssl/2.2.23 OpenSSL/1.0.1g-fips DAV/2 mod_bmx/0.9.4 configure resuming normal operations

Further Steps

After you patch and restart all of your servers, you should review your systems for what might have been compromised and take the appropriate steps. For example, you might need to provide new keys and certificates, revoke old server certificates, change any passwords, or close any long–running sessions. Work with your security team to analyze all security changes that are required by your systems.

You might also want to periodically check the links that are listed above for up-to-date information about any known impact of the vulnerability.

Operating System and Release Information

A fix for this issue for SAS Web Server 9.4_M1 is available at:

A fix for this issue for SAS Environment Manager 2.1_M1 is available at:

A fix for this issue for SAS Environment Manager 2.1 is available at:

A fix for this issue for SAS Web Server 9.4 is available at: