SUPPORT / SAMPLES & SAS NOTES
Problem Note 62682: SAS® Model Risk Management and SAS® Enterprise GRC include a version of Apache POI that contains security vulnerabilities
 |  |  |  |  |
Severity: High
Description: Apache POI in versions prior to release 3.15 allows remote attackers to cause a denial of service (CPU consumption). The remote attack potentially uses a specially crafted OOXML file, also known as an XML Entity Expansion (XEE) attack.
Potential Impact: There is a total shutdown of the affected resource. The attacker can render the resource completely unavailable.
For additional details see: CVE-2017-5644
Description: Apache POI in versions prior to release 3.17 are vulnerable to the following Denial of Service Attacks:
- Infinite Loops while parsing crafted WMF, EMF, MSG, and macros (POI bugs 61338 and 61294), and
- Out of Memory Exceptions while parsing crafted DOC, PPT, and XLS (POI bugs 52372 and 61295).
Potential Impact: There is reduced performance or interruptions in resource availability.
For additional details see: CVE-2017-12626
Click the Hot Fix tab in this note to access the hot fix for this issue.
Operating System and Release Information
| Product Family | Product | System | Product Release | SAS Release | ||
| Reported | Fixed* | Reported | Fixed* | |||
| SAS System | SAS Model Risk Management | Microsoft® Windows® for x64 | 6.1 | 7.4 | 9.4 TS1M2 | 9.4 TS1M5 |
| Microsoft Windows 8 Enterprise 32-bit | 6.1 | 7.4 | 9.4 TS1M2 | 9.4 TS1M5 | ||
| Microsoft Windows 8 Enterprise x64 | 6.1 | 7.4 | 9.4 TS1M2 | 9.4 TS1M5 | ||
| Microsoft Windows 8 Pro 32-bit | 6.1 | 7.4 | 9.4 TS1M2 | 9.4 TS1M5 | ||
| Microsoft Windows 8 Pro x64 | 6.1 | 7.4 | 9.4 TS1M2 | 9.4 TS1M5 | ||
| Microsoft Windows 8.1 Enterprise 32-bit | 6.1 | 7.4 | 9.4 TS1M2 | 9.4 TS1M5 | ||
| Microsoft Windows 8.1 Enterprise x64 | 6.1 | 7.4 | 9.4 TS1M2 | 9.4 TS1M5 | ||
| Microsoft Windows 8.1 Pro 32-bit | 6.1 | 7.4 | 9.4 TS1M2 | 9.4 TS1M5 | ||
| Microsoft Windows 8.1 Pro x64 | 6.1 | 7.4 | 9.4 TS1M2 | 9.4 TS1M5 | ||
| Microsoft Windows 10 | 6.1 | 7.4 | 9.4 TS1M2 | 9.4 TS1M5 | ||
| Microsoft Windows Server 2008 | 6.1 | 7.4 | 9.4 TS1M2 | 9.4 TS1M5 | ||
| Microsoft Windows Server 2008 R2 | 6.1 | 7.4 | 9.4 TS1M2 | 9.4 TS1M5 | ||
| Microsoft Windows Server 2008 for x64 | 6.1 | 7.4 | 9.4 TS1M2 | 9.4 TS1M5 | ||
| Microsoft Windows Server 2012 Datacenter | 6.1 | 7.4 | 9.4 TS1M2 | 9.4 TS1M5 | ||
| Microsoft Windows Server 2012 R2 Datacenter | 6.1 | 7.4 | 9.4 TS1M2 | 9.4 TS1M5 | ||
| Microsoft Windows Server 2012 R2 Std | 6.1 | 7.4 | 9.4 TS1M2 | 9.4 TS1M5 | ||
| Microsoft Windows Server 2012 Std | 6.1 | 7.4 | 9.4 TS1M2 | 9.4 TS1M5 | ||
| Windows 7 Enterprise 32 bit | 6.1 | 7.4 | 9.4 TS1M2 | 9.4 TS1M5 | ||
| Windows 7 Enterprise x64 | 6.1 | 7.4 | 9.4 TS1M2 | 9.4 TS1M5 | ||
| Windows 7 Home Premium 32 bit | 6.1 | 7.4 | 9.4 TS1M2 | 9.4 TS1M5 | ||
| Windows 7 Home Premium x64 | 6.1 | 7.4 | 9.4 TS1M2 | 9.4 TS1M5 | ||
| Windows 7 Professional 32 bit | 6.1 | 7.4 | 9.4 TS1M2 | 9.4 TS1M5 | ||
| Windows 7 Professional x64 | 6.1 | 7.4 | 9.4 TS1M2 | 9.4 TS1M5 | ||
| Windows 7 Ultimate 32 bit | 6.1 | 7.4 | 9.4 TS1M2 | 9.4 TS1M5 | ||
| Windows 7 Ultimate x64 | 6.1 | 7.4 | 9.4 TS1M2 | 9.4 TS1M5 | ||
| 64-bit Enabled AIX | 6.1 | 7.4 | 9.4 TS1M2 | 9.4 TS1M5 | ||
| 64-bit Enabled Solaris | 6.1 | 7.4 | 9.4 TS1M2 | 9.4 TS1M5 | ||
| HP-UX IPF | 6.1 | 7.4 | 9.4 TS1M2 | 9.4 TS1M5 | ||
| Linux for x64 | 6.1 | 7.4 | 9.4 TS1M2 | 9.4 TS1M5 | ||
| Solaris for x64 | 6.1 | 7.4 | 9.4 TS1M2 | 9.4 TS1M5 | ||
| SAS System | SAS Enterprise GRC | Windows 7 Home Premium x64 | 5.1_M5 | 9.3 TS1M2 | ||
| Windows 7 Home Premium 32 bit | 5.1_M5 | 9.3 TS1M2 | ||||
| Windows 7 Enterprise x64 | 5.1_M5 | 9.3 TS1M2 | ||||
| Windows 7 Enterprise 32 bit | 5.1_M5 | 9.3 TS1M2 | ||||
| Microsoft Windows XP Professional | 5.1_M5 | 9.3 TS1M2 | ||||
| Microsoft Windows Server 2012 Std | 5.1_M5 | 9.3 TS1M2 | ||||
| Microsoft Windows Server 2012 R2 Std | 5.1_M5 | 9.3 TS1M2 | ||||
| Microsoft Windows Server 2012 R2 Datacenter | 5.1_M5 | 9.3 TS1M2 | ||||
| Microsoft Windows Server 2012 Datacenter | 5.1_M5 | 9.3 TS1M2 | ||||
| Microsoft Windows Server 2008 for x64 | 5.1_M5 | 9.3 TS1M2 | ||||
| Microsoft Windows Server 2008 R2 | 5.1_M5 | 9.3 TS1M2 | ||||
| Microsoft Windows Server 2008 | 5.1_M5 | 9.3 TS1M2 | ||||
| Microsoft Windows Server 2003 for x64 | 5.1_M5 | 9.3 TS1M2 | ||||
| Microsoft Windows Server 2003 Standard Edition | 5.1_M5 | 9.3 TS1M2 | ||||
| Microsoft Windows Server 2003 Enterprise Edition | 5.1_M5 | 9.3 TS1M2 | ||||
| Microsoft Windows Server 2003 Datacenter Edition | 5.1_M5 | 9.3 TS1M2 | ||||
| Microsoft Windows 8.1 Pro x64 | 5.1_M5 | 9.3 TS1M2 | ||||
| Microsoft Windows 8.1 Pro 32-bit | 5.1_M5 | 9.3 TS1M2 | ||||
| Microsoft Windows 8.1 Enterprise x64 | 5.1_M5 | 9.3 TS1M2 | ||||
| Microsoft Windows 8.1 Enterprise 32-bit | 5.1_M5 | 9.3 TS1M2 | ||||
| Microsoft Windows 8 Pro x64 | 5.1_M5 | 9.3 TS1M2 | ||||
| Microsoft Windows 8 Pro 32-bit | 5.1_M5 | 9.3 TS1M2 | ||||
| Microsoft Windows 8 Enterprise x64 | 5.1_M5 | 9.3 TS1M2 | ||||
| Microsoft Windows 8 Enterprise 32-bit | 5.1_M5 | 9.3 TS1M2 | ||||
| Microsoft® Windows® for x64 | 5.1_M5 | 9.3 TS1M2 | ||||
| Windows 7 Professional 32 bit | 5.1_M5 | 9.3 TS1M2 | ||||
| Windows 7 Professional x64 | 5.1_M5 | 9.3 TS1M2 | ||||
| Windows 7 Ultimate 32 bit | 5.1_M5 | 9.3 TS1M2 | ||||
| Windows 7 Ultimate x64 | 5.1_M5 | 9.3 TS1M2 | ||||
| Windows Vista | 5.1_M5 | 9.3 TS1M2 | ||||
| Windows Vista for x64 | 5.1_M5 | 9.3 TS1M2 | ||||
| 64-bit Enabled AIX | 5.1_M5 | 9.3 TS1M2 | ||||
| 64-bit Enabled Solaris | 5.1_M5 | 9.3 TS1M2 | ||||
| HP-UX IPF | 5.1_M5 | 9.3 TS1M2 | ||||
| Linux for x64 | 5.1_M5 | 9.3 TS1M2 | ||||
| Solaris for x64 | 5.1_M5 | 9.3 TS1M2 | ||||