Problem Note 62987: SAS® BI Web Services contains an XML External Entity (XXE) vulnerability
 |  |  |  |  |
Severity: Medium
Description: The web application allows document type definitions and external entities from potentially untrustworthy XML.
Potential Impact: An attacker might gain unauthorized access to files on the server.
Click the Hot Fix tab in this note to access the hot fix for this issue.
Operating System and Release Information
| Product Family | Product | System | Product Release | SAS Release | ||
| Reported | Fixed* | Reported | Fixed* | |||
| SAS System | SAS Web Infrastructure Platform | Microsoft® Windows® for x64 | 9.4_M3 | 9.4_M6 | 9.4 TS1M3 | 9.4 TS1M6 |
| 64-bit Enabled AIX | 9.4_M3 | 9.4_M6 | 9.4 TS1M3 | 9.4 TS1M6 | ||
| 64-bit Enabled Solaris | 9.4_M3 | 9.4_M6 | 9.4 TS1M3 | 9.4 TS1M6 | ||
| HP-UX IPF | 9.4_M3 | 9.4_M6 | 9.4 TS1M3 | 9.4 TS1M6 | ||
| Linux for x64 | 9.4_M3 | 9.4_M6 | 9.4 TS1M3 | 9.4 TS1M6 | ||
| Solaris for x64 | 9.4_M3 | 9.4_M6 | 9.4 TS1M3 | 9.4 TS1M6 | ||
A fix for this issue for SAS Middle Tier 9.4_M5 is available at:
https://tshf.sas.com/techsup/download/hotfix/HF2/B6K.html#62987A fix for this issue for SAS Middle Tier 9.4_M4 is available at:
https://tshf.sas.com/techsup/download/hotfix/HF2/A4I.html#62987A fix for this issue for SAS Middle Tier 9.4_M3 is available at:
https://tshf.sas.com/techsup/download/hotfix/HF2/V10.html#62987A fix for this issue for SAS Middle Tier 9.4_M2 is available at:
https://tshf.sas.com/techsup/download/hotfix/HF2/R75.html#62987| Type: | Problem Note |
| Priority: | high |
| Date Modified: | 2019-01-04 13:09:48 |
| Date Created: | 2018-09-26 10:19:04 |