Severity: High

Description: Releases of SAS Web Application Server up through the fourth maintenance release of SAS^® 9.4 (TS1M4) are based on versions of Apache Tomcat 7 that are earlier than Tomcat 7.0.82. Those versions of Tomcat 7 contain the following security vulnerabilities:

• CVE-2017-12615
• CVE-2017-12616
• CVE-2017-12617

The SAS Web Application Server for the fifth maintenance release of SAS^® 9.4 (TS1M5) is based on a version of Apache Tomcat 8.5 that is earlier than Tomcat 8.5.23. That version of Tomcat 8 contains the following security vulnerabilities:

• CVE-2017-12617
• CVE-2017-5664
• CVE-2017-7674
• CVE-2017-7675

Potential Impact: When you run Apache Tomcat 7.0.0 to 7.0.79 in Microsoft Windows operating environments with HTTP PUT methods enabled, it is possible for a malicious JSP file to be uploaded to the server via a specially crafted request.

Click the Hot Fix tab in this note to access the hot fix for this issue.

Operating System and Release Information

A fix for this issue for SAS Web Application Server 9.44 is available at:

A fix for this issue for SAS Web Application Server 9.43 is available at:

A fix for this issue for SAS Web Application Server 9.42 is available at:

A fix for this issue for SAS Web Application Server 9.41 is available at:

A fix for this issue for SAS Web Application Server 9.4 is available at: