Problem Note 61244: SAS® Web Application Server contains security vulnerabilities (multiple CVEs)
 |  |  |  |  |
Severity: High
Description: Releases of SAS Web Application Server up through the fourth maintenance release of SAS® 9.4 (TS1M4) are based on versions of Apache Tomcat 7 that are earlier than Tomcat 7.0.82. Those versions of Tomcat 7 contain the following security vulnerabilities:
The SAS Web Application Server for the fifth maintenance release of SAS® 9.4 (TS1M5) is based on a version of Apache Tomcat 8.5 that is earlier than Tomcat 8.5.23. That version of Tomcat 8 contains the following security vulnerabilities:
Potential Impact: When you run Apache Tomcat 7.0.0 to 7.0.79 in Microsoft Windows operating environments with HTTP PUT methods enabled, it is possible for a malicious JSP file to be uploaded to the server via a specially crafted request.
Click the Hot Fix tab in this note to access the hot fix for this issue.
Operating System and Release Information
| Product Family | Product | System | SAS Release | |
| Reported | Fixed* | |||
| SAS System | SAS Web Application Server | Solaris for x64 | 9.4 TS1M4 | |
| Linux for x64 | 9.4 TS1M4 | |||
| HP-UX IPF | 9.4 TS1M4 | |||
| 64-bit Enabled Solaris | 9.4 TS1M4 | |||
| 64-bit Enabled AIX | 9.4 TS1M4 | |||
| Microsoft® Windows® for x64 | 9.4 TS1M4 | |||