Problem Note 64563: The SAS® 9.4 middle-tier services contain Apache Commons FileUpload components that are vulnerable to CVE-2016-1000031
 |  |  |  |
Severity: Critical
Description: Multiple SAS® middle-tier components that are included with SAS® 9.4 software [up to and including release 9.4M6 (TS1M6)] contain the Apache commons-file-upload-1.3.3 library that is vulnerable to the situation that is described in CVE-2016-1000031.
Potential Impact: An attacker might execute malicious code remotely on the server.
Remediation Notes: You can safely remove the vulnerable components by removing the following files:
- SAS-configuration-directory/Lev1/Web/gemfire/tools/Extensions/gemfire.war
- SAS-configuration-directory/Lev1/Web/gemfire/tools/Extensions/gemfire-api.war.
- SAS-configuration-directory/Lev1/Web/Scripts/WebServer/src/Config/vfabrictcsvr/gemfire.zip
- SAS-configuration-directory/Lev1/Web/Scripts/SASEnvironmentManager/src/Config/vfabrictcsvr/gemfire.zip
- SAS-configuration-directory/Lev1/Web/Scripts/SASEnvironmentManagerAgent/src/Config/vfabrictcsvr/gemfire.zip
Operating System and Release Information
| Product Family | Product | System | Product Release | SAS Release | ||
| Reported | Fixed* | Reported | Fixed* | |||
| SAS System | SAS Cache Locator | Microsoft® Windows® for x64 | 9.4 | |||
| Microsoft Windows 8 Enterprise 32-bit | 9.4 | |||||
| Microsoft Windows 8 Enterprise x64 | 9.4 | |||||
| Microsoft Windows 8 Pro 32-bit | 9.4 | |||||
| Microsoft Windows 8 Pro x64 | 9.4 | |||||
| Microsoft Windows 8.1 Enterprise 32-bit | 9.4 | |||||
| Microsoft Windows 8.1 Enterprise x64 | 9.4 | |||||
| Microsoft Windows 8.1 Pro 32-bit | 9.4 | |||||
| Microsoft Windows 8.1 Pro x64 | 9.4 | |||||
| Microsoft Windows 10 | 9.4 | |||||
| Microsoft Windows 95/98 | 9.4 | |||||
| Microsoft Windows 2000 Advanced Server | 9.4 | |||||
| Microsoft Windows 2000 Datacenter Server | 9.4 | |||||
| Microsoft Windows 2000 Server | 9.4 | |||||
| Microsoft Windows 2000 Professional | 9.4 | |||||
| Microsoft Windows NT Workstation | 9.4 | |||||
| Microsoft Windows Server 2003 Datacenter Edition | 9.4 | |||||
| Microsoft Windows Server 2003 Enterprise Edition | 9.4 | |||||
| Microsoft Windows Server 2003 Standard Edition | 9.4 | |||||
| Microsoft Windows Server 2003 for x64 | 9.4 | |||||
| Microsoft Windows Server 2008 | 9.4 | |||||
| Microsoft Windows Server 2008 R2 | 9.4 | |||||
| Microsoft Windows Server 2008 for x64 | 9.4 | |||||
| Microsoft Windows Server 2012 Datacenter | 9.4 | |||||
| Microsoft Windows Server 2012 R2 Datacenter | 9.4 | |||||
| Microsoft Windows Server 2012 R2 Std | 9.4 | |||||
| Microsoft Windows Server 2012 Std | 9.4 | |||||
| Microsoft Windows Server 2016 | 9.4 | |||||
| Microsoft Windows Server 2019 | 9.4 | |||||
| Microsoft Windows XP Professional | 9.4 | |||||
| Windows 7 Enterprise 32 bit | 9.4 | |||||
| Windows 7 Enterprise x64 | 9.4 | |||||
| Windows 7 Home Premium 32 bit | 9.4 | |||||
| Windows 7 Home Premium x64 | 9.4 | |||||
| Windows 7 Professional 32 bit | 9.4 | |||||
| Windows 7 Professional x64 | 9.4 | |||||
| Windows 7 Ultimate 32 bit | 9.4 | |||||
| Windows 7 Ultimate x64 | 9.4 | |||||
| Windows Millennium Edition (Me) | 9.4 | |||||
| Windows Vista | 9.4 | |||||
| Windows Vista for x64 | 9.4 | |||||
| 64-bit Enabled AIX | 9.4 | |||||
| HP-UX IPF | 9.4 | |||||
| Linux for x64 | 9.4 | |||||
| Type: | Problem Note |
| Priority: | high |
| Date Modified: | 2019-08-06 15:36:55 |
| Date Created: | 2019-08-06 10:00:35 |