Problem Note 63338: Applications that use the comments service contain a security vulnerability with the use of comments
Severity: Medium
Description: Applications that use the comments service contain a security vulnerability with the use of comments.
Potential Impact: An attacker might be able to forge comments.
Click the Hot Fix tab in this note to access the hot fix for this issue.
After you apply the hot fix, you can prevent forgery of comments by adding the following server property to the setenv.sh file or wrapper.conf file (as appropriate) that is used to start the server where the SAS Web Infrastructure Platform is located (typically, SASServer1_1).
-Dsas.comments.disallowAuthorForgery=true
Notes:
- Any application that creates comments on behalf of other users will lose that functionality. To enable that functionality:
- Create the Comments: Forge Author (exactly as written) role in SAS® Management Console.
- Assign the comment creators (this can be system-type users or groups) with the newly created Comments: Forge Author role.
- Currently there is an issue with using the server property in SAS® Customer Intelligence solutions such as SAS® Marketing Automation. For these solutions, you should not use this server property at this time. Contact SAS Technical Support for more information.
Operating System and Release Information
SAS System | SAS Web Infrastructure Platform | Solaris for x64 | 9.4_M2 | 9.4_M6 | 9.4 TS1M2 | 9.4 TS1M6 |
Linux for x64 | 9.4_M2 | 9.4_M6 | 9.4 TS1M2 | 9.4 TS1M6 |
HP-UX IPF | 9.4_M2 | 9.4_M6 | 9.4 TS1M2 | 9.4 TS1M6 |
64-bit Enabled Solaris | 9.4_M2 | 9.4_M6 | 9.4 TS1M2 | 9.4 TS1M6 |
64-bit Enabled AIX | 9.4_M2 | 9.4_M6 | 9.4 TS1M2 | 9.4 TS1M6 |
Microsoft® Windows® for x64 | 9.4_M2 | 9.4_M6 | 9.4 TS1M2 | 9.4 TS1M6 |
*
For software releases that are not yet generally available, the Fixed
Release is the software release in which the problem is planned to be
fixed.
Type: | Problem Note |
Priority: | high |
Date Modified: | 2018-12-13 08:12:22 |
Date Created: | 2018-12-06 06:14:29 |