Severity: Critical

Description: The Apache Groovy library, which is used by many SAS^® products, is vulnerable to remote code execution. For information about exposure and fixes, see SAS Statement Regarding the Java Deserialization Vulnerability.

Potential Impact: An attacker might execute malicious code on the server.

Click the Hot Fix tab in this note to access the hot fix for this issue.

Operating System and Release Information

Product Family	Product	System	SAS Release
			Reported	Fixed*
SAS System	Multiple	N/A	9.4	9.4 TS1M4

* For software releases that are not yet generally available, the Fixed Release is the software release in which the problem is planned to be fixed.

---

A fix for this issue for SAS Environment Manager 2.5 is available at:

https://tshf.sas.com/techsup/download/hotfix/HF2/V76.html#58196

---

A fix for this issue for Supplemental Hot Fix for SAS Security Update 9.4_M3 is available at:

https://tshf.sas.com/techsup/download/hotfix/HF2/Y09.html#58196

---

A fix for this issue for SAS Environment Manager Agent 2.5 is available at:

https://tshf.sas.com/techsup/download/hotfix/HF2/W85.html#58196

---

A fix for this issue for SAS Environment Manager Agent 2.1 is available at:

https://tshf.sas.com/techsup/download/hotfix/HF2/Y47.html#58196

---

The Apache Groovy library, which is used by many SAS^® products, is vulnerable to remote code execution.

Type:	Problem Note
Priority:	high

Date Modified:	2018-10-02 12:02:31
Date Created:	2016-05-11 14:01:16