61767 - A denial of service vulnerability occurs in SAS® Metadata Server after interactions with SAS® Customer Intelligence Studio

Problem Note 61767: A denial of service vulnerability occurs in SAS® Metadata Server after interactions with SAS® Customer Intelligence Studio

Severity: High

Description: SAS Metadata Server might be subject to a denial of service vulnerability by an attacker with user-level permissions. This issue occurs when the user configures a specially formatted email in SAS Customer Intelligence Studio.

Potential Impact: SAS Customer Intelligence Studio users might knowingly or unknowingly execute malicious operations.

Click the Hot Fix tab in this note to access the hot fix for this issue.

Operating System and Release Information

Product Family	Product	System	Product Release		SAS Release
Product Family	Product	System	Reported	Fixed*	Reported	Fixed*
SAS System	SAS Metadata Server	z/OS	9.4_M4	9.4_M4	9.4 TS1M4	9.4 TS1M4
		Microsoft® Windows® for x64	9.4_M4	9.4_M4	9.4 TS1M4	9.4 TS1M4
		Microsoft Windows 8 Enterprise 32-bit	9.4_M4	9.4_M4	9.4 TS1M4	9.4 TS1M4
		Microsoft Windows 8 Enterprise x64	9.4_M4	9.4_M4	9.4 TS1M4	9.4 TS1M4
		Microsoft Windows 8 Pro 32-bit	9.4_M4	9.4_M4	9.4 TS1M4	9.4 TS1M4
		Microsoft Windows 8 Pro x64	9.4_M4	9.4_M4	9.4 TS1M4	9.4 TS1M4
		Microsoft Windows 8.1 Enterprise 32-bit	9.4_M4	9.4_M4	9.4 TS1M4	9.4 TS1M4
		Microsoft Windows 8.1 Enterprise x64	9.4_M4	9.4_M4	9.4 TS1M4	9.4 TS1M4
		Microsoft Windows 8.1 Pro 32-bit	9.4_M4	9.4_M4	9.4 TS1M4	9.4 TS1M4
		Microsoft Windows 8.1 Pro x64	9.4_M4	9.4_M4	9.4 TS1M4	9.4 TS1M4
		Microsoft Windows 10	9.4_M4	9.4_M4	9.4 TS1M4	9.4 TS1M4
		Microsoft Windows Server 2008	9.4_M4	9.4_M4	9.4 TS1M4	9.4 TS1M4
		Microsoft Windows Server 2008 R2	9.4_M4	9.4_M4	9.4 TS1M4	9.4 TS1M4
		Microsoft Windows Server 2008 for x64	9.4_M4	9.4_M4	9.4 TS1M4	9.4 TS1M4
		Microsoft Windows Server 2012 Datacenter	9.4_M4	9.4_M4	9.4 TS1M4	9.4 TS1M4
		Microsoft Windows Server 2012 R2 Datacenter	9.4_M4	9.4_M4	9.4 TS1M4	9.4 TS1M4
		Microsoft Windows Server 2012 R2 Std	9.4_M4	9.4_M4	9.4 TS1M4	9.4 TS1M4
		Microsoft Windows Server 2012 Std	9.4_M4	9.4_M4	9.4 TS1M4	9.4 TS1M4
		Windows 7 Enterprise 32 bit	9.4_M4	9.4_M4	9.4 TS1M4	9.4 TS1M4
		Windows 7 Enterprise x64	9.4_M4	9.4_M4	9.4 TS1M4	9.4 TS1M4
		Windows 7 Home Premium 32 bit	9.4_M4	9.4_M4	9.4 TS1M4	9.4 TS1M4
		Windows 7 Home Premium x64	9.4_M4	9.4_M4	9.4 TS1M4	9.4 TS1M4
		Windows 7 Professional 32 bit	9.4_M4	9.4_M4	9.4 TS1M4	9.4 TS1M4
		Windows 7 Professional x64	9.4_M4	9.4_M4	9.4 TS1M4	9.4 TS1M4
		Windows 7 Ultimate 32 bit	9.4_M4	9.4_M4	9.4 TS1M4	9.4 TS1M4
		Windows 7 Ultimate x64	9.4_M4	9.4_M4	9.4 TS1M4	9.4 TS1M4
		64-bit Enabled AIX	9.4_M4	9.4_M4	9.4 TS1M4	9.4 TS1M4
		64-bit Enabled Solaris	9.4_M4	9.4_M4	9.4 TS1M4	9.4 TS1M4
		HP-UX IPF	9.4_M4	9.4_M4	9.4 TS1M4	9.4 TS1M4
		Linux for x64	9.4_M4	9.4_M4	9.4 TS1M4	9.4 TS1M4
		Solaris for x64	9.4_M4	9.4_M4	9.4 TS1M4	9.4 TS1M4

* For software releases that are not yet generally available, the Fixed Release is the software release in which the problem is planned to be fixed.

Type:	Problem Note
Priority:	high

Date Modified:	2018-02-16 09:42:06
Date Created:	2018-01-30 10:15:47

Support

Problem Note 61767: A denial of service vulnerability occurs in SAS® Metadata Server after interactions with SAS® Customer Intelligence Studio

Operating System and Release Information