SUPPORT / SAMPLES & SAS NOTES
Problem Note 64256: The Apache Solr version that is supported by SAS® Enterprise Case Management is vulnerable to the issue that is described in CVE-2016-1000031
 |  |  |  |
Severity: High
Description: The Apache Commons FileUpload library that is included with Apache Solr 4.7.2 and 5.5.5 is vulnerable to remote code execution via deserialization. Apache Solr, which contains the library, is used with SAS Enterprise Case Management. For details about the vulnerability, see CVE-2016-1000031.
Potential Impact: An attacker might execute malicious code on your system.
Solution: Manually replace the affected Apache Commons FileUpload library in the Solr application by following these steps:
- Download the commons-fileupload-1.3.3.jar file from this location: central.maven.org/maven2/commons-fileupload/commons-fileupload/1.3.3/
- Save the commons-fileupload-1.3.3.jar file to this directory: solr_installation_directory/server/solr-webapp/webapp/WEB-INF/lib
- Submit the following command to rename the original JAR file so that it is not loaded:
mv commons-fileupload-1.3.2.jar commons-fileupload-1.3.2.jar.orig
- Restart Solr and verify initialization by submitting the following command:
solr__installation_directory/bin/solr restart
Operating System and Release Information
| Product Family | Product | System | Product Release | SAS Release | ||
| Reported | Fixed* | Reported | Fixed* | |||
| SAS System | SAS Web Infrastructure Platform | Microsoft® Windows® for x64 | 9.4_M3 | 9.4_M3 | 9.4 TS1M3 | 9.4 TS1M3 |
| 64-bit Enabled AIX | 9.4_M3 | 9.4_M3 | 9.4 TS1M3 | 9.4 TS1M3 | ||
| 64-bit Enabled Solaris | 9.4_M3 | 9.4_M3 | 9.4 TS1M3 | 9.4 TS1M3 | ||
| HP-UX IPF | 9.4_M3 | 9.4_M3 | 9.4 TS1M3 | 9.4 TS1M3 | ||
| Linux for x64 | 9.4_M3 | 9.4_M3 | 9.4 TS1M3 | 9.4 TS1M3 | ||
| Solaris for x64 | 9.4_M3 | 9.4_M3 | 9.4 TS1M3 | 9.4 TS1M3 | ||