Problem Note 52725: An OpenSSL Heartbleed vulnerability exists in SAS® 9.4 Web Server
SAS 9.4 Web Server includes OpenSSL 1.0.1c, which contains the Heartbleed vulnerability that is described in the following documents:
Any instance of SAS 9.4 Web Server that is configured for the Secure Sockets Layer (SSL) is exposed to this vulnerability.
Note: SAS 9.4 Web Server is part of the SAS® 9.4 Integration Technologies middle tier. The web server is included with SAS® BI Server, SAS® Enterprise BI Server, SAS® Visual Analytics, and any SAS® solution that includes a middle tier.
Click the Hot Fix tab in this note to access the hot fix for this issue.
Verifying the Fix
After you apply the hot fix, you can verify that the fixed version of OpenSSL is being used by restarting SAS 9.4 Web Server and examining the error.log file, which is located in the following directory:
SAS-configuration-directory/LevN/Web/WebServer/Logs
The newly produced error.log file should contain messages similar to the following:
[Tue Apr 18 14:37:06 2014] [info] mod_ssl/2.2.23 compiled against Server: Apache/2.2.23, Library: OpenSSL/1.0.1g-fips
[Tue Apr 18 14:37:06 2014] [notice] Apache/2.2.23 (Unix) vFabric/5.2.0 vFabricLicense/5.2.0 mod_ssl/2.2.23 OpenSSL/1.0.1g-fips DAV/2 mod_bmx/0.9.4 configure resuming normal operations
Further Steps
After you patch and restart all of your servers, you should review your systems for what might have been compromised and take the appropriate steps. For example, you might need to provide new keys and certificates, revoke old server certificates, change any passwords, or close any long–running sessions. Work with your security team to analyze all security changes that are required by your systems.
You might also want to periodically check the links that are listed above for up-to-date information about any known impact of the vulnerability.
Operating System and Release Information
SAS System | SAS Web Server | Microsoft® Windows® for x64 | 9.4 | 9.4 | 9.4 TS1M0 | 9.4 TS1M2 |
64-bit Enabled AIX | 9.4 | 9.4 | 9.4 TS1M0 | 9.4 TS1M2 |
64-bit Enabled Solaris | 9.4 | 9.4 | 9.4 TS1M0 | 9.4 TS1M2 |
HP-UX IPF | 9.4 | 9.4 | 9.4 TS1M0 | 9.4 TS1M2 |
Linux for x64 | 9.4 | 9.4 | 9.4 TS1M0 | 9.4 TS1M2 |
Solaris for x64 | 9.4 | 9.4 | 9.4 TS1M0 | 9.4 TS1M2 |
*
For software releases that are not yet generally available, the Fixed
Release is the software release in which the problem is planned to be
fixed.
Type: | Problem Note |
Priority: | alert |
Date Modified: | 2014-04-17 10:29:37 |
Date Created: | 2014-04-09 15:41:04 |