Problem Note 61175: SAS® Web Infrastructure Platform Database update or upgrade addresses known security vulnerabilities
 |  |  |  |  |
Severity: Medium
Description: The following versions of PostgreSQL are used as the underlying technology for the SAS Web Infrastructure Platform Data Server:
- PostgreSQL 9.5.x, which is used with SAS® 9.4M6 (TS1M6)
- PostgreSQL 12.x, which is used with SAS® 9.4M7 (TS1M7)
- PostgreSQL 14.x, which is used with SAS® 9.4M8 (TS1M8)
Updates to these versions of SAS are being offered to keep current with security fixes to PostgreSQL.
These versions of PostgreSQL have the following known security vulnerabilities:
- Vulnerability Summary for CVE-2023-39417
- Vulnerability Summary for CVE-2023-2455
- Vulnerability Summary for CVE-2023-2454
- Vulnerability Summary for CVE-2022-41862
- Vulnerability Summary for CVE-2022-37434
- Vulnerability Summary for CVE-2022-2625
- Vulnerability Summary for CVE-2022-2068
- Vulnerability Summary for CVE-2022-1552
- Vulnerability Summary for CVE-2022-1292
- Vulnerability Summary for CVE-2022-0778
- Vulnerability Summary for CVE-2021-32029
- Vulnerability Summary for CVE-2021-32028
- Vulnerability Summary for CVE-2021-32027
- Vulnerability Summary for CVE-2021-23222
- Vulnerability Summary for CVE-2021-23214
- Vulnerability Summary for CVE-2021-3677
- Vulnerability Summary for CVE-2021-3393
- Vulnerability Summary for CVE-2020-25696
- Vulnerability Summary for CVE-2020-25695
- Vulnerability Summary for CVE-2020-25694
- Vulnerability Summary for CVE-2020-14350
- Vulnerability Summary for CVE-2020-14349
- Vulnerability Summary for CVE-2020-10733
- Vulnerability Summary for CVE-2019-10211
- Vulnerability Summary for CVE-2019-10210
- Vulnerability Summary for CVE-2019-10208
- Vulnerability Summary for CVE-2019-10130
- Vulnerability Summary for CVE-2019-10128
- Vulnerability Summary for CVE-2019-10127
Potential Impact: These security concerns have the following impact:
- Denial of service.
- Access to higher privileged connections.
- Access to execute arbitrary SQL statements as owner.
- An opportunity for a man-in-the-middle attack or the ability to observe cleartext transmissions.
- Creation of non-temporary objects can execute arbitrary SQL functions under the identity of a super user.
- Buffer overrun from integer overflow in array subscripting calculations.
- Memory disclosure in INSERT ... ON CONFLICT ... DO UPDATE.
- Memory disclosure in partitioned-table UPDATE ... RETURNING.
- Vulnerabilities in Autovacuum, REINDEX, CREATE INDEX, REFRESH MATERIALIZED VIEW, CLUSTER, and pg_amcheck.
SAS supports all versions of the database delivered with the product but only the latest version, PostgreSQL 12.x, continues to receive security fixes from the PostgreSQL community.
SAS® 9.4M0 (TS1M0) to SAS® 9.4M5 (TS1M5) delivered PostgreSQL 9.1.x for the SAS® Web Infrastructure Platform Data Server. With the exception of SAS 9.4M5, these databases cannot be updated or upgraded to a later release. The latest release that SAS 9.4M5 can be upgraded to is PostgreSQL 9.4.24, which is currently out of support by the PostgreSQL community. If you require SAS 9.4M5 to be upgraded to that release, contact SAS Technical Support for the manual steps.
Click the Hot Fix tab in this note to access the hot fix for this issue.
Install the Hot Fix
The hot fix in this SAS Note addresses the following scenarios:
- The SAS version is SAS 9.4M6, and you are updating 9.5.x.
- The SAS version is SAS 9.4M7, and you are updating 12.x.
- The SAS version is SAS 9.4M8, and you are updating 14.x.
SAS 9.4M6
It is highly recommended that, if you run SAS 9.4M6 and you require security updates to PostgreSQL, you upgrade to SAS 9.4M7 and PostgreSQL 12.x.
If you are unable to update to SAS 9.4M7 at this time but still require PostgreSQL 12.x, then you must contact SAS Technical Support for the paper about how to manually update PostgreSQL 9.x to 12.x.
If you are at SAS 9.4M6 and have already upgraded to PostgreSQL 12, then you can apply the hot fix in this note to update the PostgreSQL database to 12.8.
If you would like to update SAS 9.4M6 to the latest PostgreSQL 9.5.x supported and you have not yet upgraded to PostgreSQL 9.5.x, then you must follow the directions in the documentation Upgrading PostgreSQL.
Once your database is at 9.5.x or if it already is at 9.5.x from an out-of-the-box installation, then you can apply the hot fix in this note to update the PostgreSQL database to 9.5.24.
SAS 9.4M7
If you run SAS 9.4M7 and you have not yet upgraded to PostgreSQL 12.x, then you must follow the directions in the documentation Upgrading PostgreSQL if you want to keep receiving security fixes for your PostgreSQL instances.
Once your database is at 12.x or if it is already at 12.x from an out-of-the-box installation, then you can apply the hot fix in this note to update the PostgreSQL database to 12.20.
SAS 9.4M8
If you run SAS 9.4M8 and you have not yet upgraded to PostgreSQL 14.x, then you must follow the directions in the documentation Upgrading PostgreSQL if you want to keep receiving security fixes for your PostgreSQL instances.
Once your database is at 14.x or if it is already at 14.x from an out-of-the-box installation, then you can apply the hot fix in this note to update the PostgreSQL database to 14.13 with OpenSSL 3.1.2.
A Possible Upgrade Issue
Note that when you perform the upgrade, sometimes the cursor is not returned to the user. The upgrade appears to stop responding after it reports that all databases have been upgraded. It is safe to press Ctrl-C to exit the upgrade at this point.
Operating System and Release Information
| Product Family | Product | System | Product Release | SAS Release | ||
| Reported | Fixed* | Reported | Fixed* | |||
| SAS System | SAS Web Infrastructure Platform Data Server | Microsoft Windows Server 2016 | 9.4_M5 | 9.4_M6 | 9.4 TS1M5 | 9.4 TS1M6 |
| Microsoft Windows Server 2012 Std | 9.4_M5 | 9.4_M6 | 9.4 TS1M5 | 9.4 TS1M6 | ||
| Microsoft Windows Server 2012 R2 Std | 9.4_M5 | 9.4_M6 | 9.4 TS1M5 | 9.4 TS1M6 | ||
| Microsoft Windows Server 2012 R2 Datacenter | 9.4_M5 | 9.4_M6 | 9.4 TS1M5 | 9.4 TS1M6 | ||
| Microsoft Windows Server 2012 Datacenter | 9.4_M5 | 9.4_M6 | 9.4 TS1M5 | 9.4 TS1M6 | ||
| Microsoft Windows 10 | 9.4_M5 | 9.4_M6 | 9.4 TS1M5 | 9.4 TS1M6 | ||
| Microsoft Windows 8.1 Pro x64 | 9.4_M5 | 9.4_M6 | 9.4 TS1M5 | 9.4 TS1M6 | ||
| Microsoft Windows 8.1 Pro 32-bit | 9.4_M5 | 9.4_M6 | 9.4 TS1M5 | 9.4 TS1M6 | ||
| Microsoft Windows 8.1 Enterprise x64 | 9.4_M5 | 9.4_M6 | 9.4 TS1M5 | 9.4 TS1M6 | ||
| Microsoft Windows 8.1 Enterprise 32-bit | 9.4_M5 | 9.4_M6 | 9.4 TS1M5 | 9.4 TS1M6 | ||
| Microsoft Windows 8 Pro x64 | 9.4_M5 | 9.4_M6 | 9.4 TS1M5 | 9.4 TS1M6 | ||
| Microsoft Windows 8 Pro 32-bit | 9.4_M5 | 9.4_M6 | 9.4 TS1M5 | 9.4 TS1M6 | ||
| Microsoft Windows 8 Enterprise x64 | 9.4_M5 | 9.4_M6 | 9.4 TS1M5 | 9.4 TS1M6 | ||
| Microsoft Windows 8 Enterprise 32-bit | 9.4_M5 | 9.4_M6 | 9.4 TS1M5 | 9.4 TS1M6 | ||
| Microsoft® Windows® for x64 | 9.4_M5 | 9.4_M6 | 9.4 TS1M5 | 9.4 TS1M6 | ||
| Windows 7 Enterprise 32 bit | 9.4_M5 | 9.4_M6 | 9.4 TS1M5 | 9.4 TS1M6 | ||
| Windows 7 Enterprise x64 | 9.4_M5 | 9.4_M6 | 9.4 TS1M5 | 9.4 TS1M6 | ||
| Windows 7 Home Premium 32 bit | 9.4_M5 | 9.4_M6 | 9.4 TS1M5 | 9.4 TS1M6 | ||
| Windows 7 Home Premium x64 | 9.4_M5 | 9.4_M6 | 9.4 TS1M5 | 9.4 TS1M6 | ||
| Windows 7 Professional 32 bit | 9.4_M5 | 9.4_M6 | 9.4 TS1M5 | 9.4 TS1M6 | ||
| Windows 7 Professional x64 | 9.4_M5 | 9.4_M6 | 9.4 TS1M5 | 9.4 TS1M6 | ||
| Windows 7 Ultimate 32 bit | 9.4_M5 | 9.4_M6 | 9.4 TS1M5 | 9.4 TS1M6 | ||
| Windows 7 Ultimate x64 | 9.4_M5 | 9.4_M6 | 9.4 TS1M5 | 9.4 TS1M6 | ||
| 64-bit Enabled AIX | 9.4_M5 | 9.4_M6 | 9.4 TS1M5 | 9.4 TS1M6 | ||
| 64-bit Enabled Solaris | 9.4_M5 | 9.4_M6 | 9.4 TS1M5 | 9.4 TS1M6 | ||
| HP-UX IPF | 9.4_M5 | 9.4_M6 | 9.4 TS1M5 | 9.4 TS1M6 | ||
| Linux for x64 | 9.4_M5 | 9.4_M6 | 9.4 TS1M5 | 9.4 TS1M6 | ||
| Solaris for x64 | 9.4_M5 | 9.4_M6 | 9.4 TS1M5 | 9.4 TS1M6 | ||
An update for this issue is available for SAS Viya 3.4. For instructions on how to access and apply software updates, see the Updating Your SAS Viya software section in the SAS Viya 3.4 for Windows Deployment Guide at
http://documentation.sas.com/?softwareId=administration&softwareVersion=3.4&softwareContextId=softwareUpdatesWinAn update for this issue is available for SAS Viya 3.4. For instructions on how to access and apply software updates, see the Updating Your SAS Viya software section in the SAS Viya 3.4 for Linux Deployment Guide at
http://documentation.sas.com/?softwareId=administration&softwareVersion=3.4&softwareContextId=softwareUpdatesViya on Linux: An update for this issue is available for SAS Viya 3.4. For instructions on how to access and apply software updates, see the Updating Your SAS Viya software section in the SAS Viya 3.4 for Linux Deployment Guide at
http://documentation.sas.com/?softwareId=administration&softwareVersion=3.4&softwareContextId=softwareUpdatesA fix for this issue for SAS Web Infrastructure Platform Data Server 9.4_M8 is available at:
https://tshf.sas.com/techsup/download/hotfix/HF2/M1Y.html#61175A fix for this issue for SAS Web Infrastructure Platform Data Server 9.4_M7 is available at:
https://tshf.sas.com/techsup/download/hotfix/HF2/I7F.html#61175A fix for this issue for SAS Web Infrastructure Platform Data Server 9.4_M6 is available at:
https://tshf.sas.com/techsup/download/hotfix/HF2/F6P.html#61175| Type: | Problem Note |
| Priority: | high |
| Topic: | Data Management ==> Data Sources ==> External Databases ==> PostgreSQL |
| Date Modified: | 2024-11-15 15:19:02 |
| Date Created: | 2017-09-29 13:51:04 |