63029 - The url_list.txt file in the Search Interface for SAS® Content configuration directory contains an encoded password

Problem Note 63029: The url_list.txt file in the Search Interface for SAS® Content configuration directory contains an encoded password

Severity: High

CVSS Score: High

Description: The url_list.txt file in the Search Interface for SAS Content configuration directory contains the encoded password for the internal account (by default, sassearch@saspw) that is used to provide content to SAS Information Retrieval Studio for indexing. The configuration directory is available in SAS-configuration-directory/lev-N/Web/Applications/SearchInterfacetoSASContent.

Potential Impact: An attacker who gains access to the file system might obtain credentials from the url_list.txt file, decode the password, and then use those credentials to gain access to applications and data that they should not have.

Click the Hot Fix tab in this note to access the hot fix for this issue.

For releases 3.1, 3.2, and 3.3, you must apply the hot fix for this issue to enable an alternate mechanism for providing content to SAS Information Retrieval Studio. After applying the hot fix, you can remove the URL from url_list.txt. You should also run the unschedule script that is located in the same directory to remove scheduling for the existing indexing job.

For releases 3.4, 3.5, and 3.6, an alternate mechanism for providing content to SAS Information Retrieval Studio already exists, so no hot fix is required. You can simply remove the URL from the url_list.txt file.

Operating System and Release Information

Product Family	Product	System	Product Release		SAS Release
			Reported	Fixed*	Reported	Fixed*
SAS System	Search Interface to SAS Content	Linux for x64	3.1	3.7	9.4 TS1M0	9.4 TS1M6
		Microsoft® Windows® for x64	3.1	3.7	9.4 TS1M0	9.4 TS1M6

* For software releases that are not yet generally available, the Fixed Release is the software release in which the problem is planned to be fixed.

A fix for this issue for Search Interface to SAS Content 3.3 is available at:

https://tshf.sas.com/techsup/download/hotfix/HF2/D3C.html#63029

A fix for this issue for Search Interface to SAS Content 3.2 is available at:

https://tshf.sas.com/techsup/download/hotfix/HF2/D3B.html#63029

A fix for this issue for Search Interface to SAS Content 3.1 is available at:

https://tshf.sas.com/techsup/download/hotfix/HF2/D3A.html#63029

The url_list.txt file in the Search Interface for SAS Content configuration directory contains the encoded password for the internal account (by default, sassearch@saspw) that is used to provide content to SAS Information Retrieval Studio for indexing.

Type:	Problem Note
Priority:	high

Date Modified:	2019-02-12 15:29:49
Date Created:	2018-10-04 17:41:12

Support

Problem Note 63029: The url_list.txt file in the Search Interface for SAS® Content configuration directory contains an encoded password

Operating System and Release Information