Problem Note 62144: SAS® Environment Manager contains security vulnerabilities (multiple CVEs)
 |  |  |  |  |
Severity: High
Description: Apache Tomcat 8.5.13 and 8.0.36 contain multiple security vulnerabilities.
The SAS Environment Manager web application server that is available in the fifth maintenance release of SAS® 9.4 (TS1M5) is based on Apache Tomcat 8.5.13. This version of Tomcat includes the following security vulnerabilities:
The SAS Environment Manager web application server in SAS® 9.4 TS1M4 and earlier is based on Apache Tomcat 8.0.36. This version of Tomcat includes the following security vulnerabilities:
- CVE-2018-1305
- CVE-2018-1304
- CVE-2017-12617
- CVE-2017-8045
- CVE-2017-5664
- CVE-2017-5647
- CVE-2016-8745
- CVE-2016-8735
Potential Impact: When you run Apache Tomcat versions 8.5.0 to 8.5.22 and 8.0.0.RC1 to 8.0.46 with HTTP PUT methods enabled, it is possible to upload a JavaServer page (JSP) file to the server via a specially crafted request. This JSP file can then be requested, and any code that the file contains can be executed by the server.
Click the Hot Fix tab in this note to access the hot fix for this issue.
Operating System and Release Information
| Product Family | Product | System | SAS Release | |
| Reported | Fixed* | |||
| SAS System | SAS Environment Manager | Solaris for x64 | 9.4 TS1M6 | |
| Linux for x64 | 9.4 TS1M6 | |||
| HP-UX IPF | 9.4 TS1M6 | |||
| 64-bit Enabled Solaris | 9.4 TS1M6 | |||
| 64-bit Enabled AIX | 9.4 TS1M6 | |||
| Microsoft® Windows® for x64 | 9.4 TS1M6 | |||