Usage Note 54395: The use of Secure Sockets Layer (SSL) 3.0 with LDAPS for SAS® authentication is susceptible to POODLE vulnerability
 |  |  |  |
If your SAS® Metadata server is configured to perform direct LDAPS authentication, see Problem Note 54374: "Secure Sockets Layer (SSL) capability in SAS® Foundation products is susceptible to the POODLE security vulnerability" for critical information regarding the POODLE vulnerability.
If your SAS® deployment is configured to use host-based authentication using LDAPS with Secure Sockets Layer (SSL) 3.0, you are also exposed to the POODLE vulnerability that is described in these documents:
Note that the use of LDAPS when authenticating for SAS can be configured in several ways:
- Direct host-based authentication against LDAPS by configuring sasauth.conf to use methods=ldap.
To avoid possible exposure to the POODLE vulnerability, disable the use of SSL 3.0 when using LDAPS by editing the system-wide OpenLDAP configuration file and setting the following parameter:
"TLS_PROTOCOL_MIN 3.1"
For other LDAP implementations, contact your LDAP vendor for assistance in disabling the use of SSL 3.0. - Authentication for SAS is configured to use PAM, calling pam_ldap.so or other equivalent modules.
- On AIX, when methods=pw in sasauth.conf and LAM is configured to use LDAP with SSL 3.0.
For each of these methods, the solution is to disable the use of SSL 3.0 when using LDAPS.
To do this, edit the system-wide OpenLDAP configuration file and set the following parameter, which specifies that only TLSv1.0 and above should be used:
For other LDAP implementations, contact your LDAP vendor for assistance in disabling the use of SSL 3.0.
Operating System and Release Information
| Product Family | Product | System | SAS Release | |
| Reported | Fixed* | |||
| SAS System | Base SAS | 64-bit Enabled AIX | ||
| 64-bit Enabled HP-UX | ||||
| 64-bit Enabled Solaris | ||||
| ABI+ for Intel Architecture | ||||
| AIX | ||||
| HP-UX | ||||
| HP-UX IPF | ||||
| IRIX | ||||
| Linux | ||||
| Linux for x64 | ||||
| Linux on Itanium | ||||
| OpenVMS Alpha | ||||
| OpenVMS on HP Integrity | ||||
| Solaris | ||||
| Solaris for x64 | ||||
| Tru64 UNIX | ||||
| Type: | Usage Note |
| Priority: |
| Date Modified: | 2014-10-24 17:46:26 |
| Date Created: | 2014-10-21 12:16:48 |