Severity: Medium

Description: Applications that use the comments service contain a security vulnerability with the use of comments.

Potential Impact: An attacker might be able to forge comments.

Click the Hot Fix tab in this note to access the hot fix for this issue.

After you apply the hot fix, you can prevent forgery of comments by adding the following server property to the setenv.sh file or wrapper.conf file (as appropriate) that is used to start the server where the SAS Web Infrastructure Platform is located (typically, SASServer1_1).

Notes: 

• Any application that creates comments on behalf of other users will lose that functionality. To enable that functionality:

1. Create the Comments: Forge Author (exactly as written) role in SAS^® Management Console. 
2. Assign the comment creators (this can be system-type users or groups) with the newly created Comments: Forge Author role.

• Currently there is an issue with using the server property in SAS^® Customer Intelligence solutions such as SAS^® Marketing Automation.  For these solutions, you should not use this server property at this time.  Contact SAS Technical Support for more information. 

Operating System and Release Information

A fix for this issue for SAS Middle Tier 9.4_M5 is available at:

A fix for this issue for SAS Middle Tier 9.4_M4 is available at:

A fix for this issue for SAS Marketing Automation 6.5 is available at:

A fix for this issue for SAS Middle Tier 9.4_M3 is available at:

A fix for this issue for SAS Middle Tier 9.4_M2 is available at:

A fix for this issue for SAS Middle Tier 9.4_M1 is available at:

A fix for this issue for SAS Middle Tier 9.4 is available at: