Severity: Critical

Description: The SAS 9.4 Web Infrastructure Platform is vulnerable to remote code execution via a Java de-serialization variant.

Potential Impact: Attackers can execute code on the server.

The remediation of this issue depends on the maintenance level of the affected SAS 9.4 software, as follows:

• SAS 9.4M6 (TS1M6): No action is required. The issue resolved in this release.
• SAS 9.4M5 (TS1M5): Apply the SAS^® Security Update for 9.4M5.
• SAS 9.4M4 (TS1M4) and earlier: Follow the steps below. Note: Replace SAS-configuration-directory in the steps below with the complete path to your SAS configuration folder.
   
  1. Ensure that the SAS^® software is updated with SAS Security Update 2017-09.
  2. Download the ZIP file that is on the Downloads tab and extract the serialization.conf file.
  3. Copy the serialization.conf file to SAS-configuration-directory/Lev1/Web/WebAppServer/SASServer_Y/conf/.
  4. Add the following JVM argument to the start-up arguments for SASServerX_Y:
     -Dhttpinvoker.deserialization.configfile=file:///SAS-configuration-directory/Lev1/Web/WebAppServer/SASServerX_Y/conf/serialization.conf
  5. Repeat steps 1-3 for any additional SASServerX_Y instances, if the environment is clustered.
  6. Restart all SAS 9.4 Web Application Server instances.

Operating System and Release Information