65192 - Possible security vulnerability involving the ARBOR procedure when nominal target variable has double-byte formatted values that exceed 256 characters

Problem Note 65192: Possible security vulnerability involving the ARBOR procedure when nominal target variable has double-byte formatted values that exceed 256 characters

Title: Possible security vulnerability involving the ARBOR procedure when nominal target variable has double-byte formatted values that exceed 256 characters

Severity: Medium

Description: In SAS® Enterprise Miner™, running a node that fails with an access violation might create a possible security vulnerability. The problem occurs when all of these conditions are true.

The node invokes PROC ARBOR code. Examples: Impute, Interactive Grouping, Decision Tree, Gradient Boosting, SAS Code.
You specify a nominal target.
Your target variable uses double-byte formatting.
Your target variable has double-byte formatted values that exceed 256 characters.
The node fails with an access violation.

To avoid the problem, do not exceed 256 characters.

Potential Impact: The above condition could result in a lack of confidentiality, integrity, and/or
availability that might result in a cyber incident/cyber breach.

Operating System and Release Information

Product Family	Product	System	Product Release		SAS Release
Product Family	Product	System	Reported	Fixed*	Reported	Fixed*
SAS System	SAS Enterprise Miner	Microsoft Windows 8.1 Pro 32-bit	12.3		9.4 TS1M0
		Microsoft Windows 8.1 Enterprise x64	12.3		9.4 TS1M0
		Microsoft Windows 8.1 Enterprise 32-bit	12.3		9.4 TS1M0
		64-bit Enabled Solaris	12.3		9.4 TS1M0
		64-bit Enabled AIX	12.3		9.4 TS1M0
		Windows 7 Professional x64	12.3		9.4 TS1M0
		Windows 7 Enterprise x64	12.3		9.4 TS1M0
		Microsoft Windows Server 2012 Std	12.3		9.4 TS1M0
		Microsoft Windows Server 2012 R2 Std	12.3		9.4 TS1M0
		Microsoft Windows Server 2012 R2 Datacenter	12.3		9.4 TS1M0
		Microsoft Windows Server 2012 Datacenter	12.3		9.4 TS1M0
		Microsoft Windows Server 2008 for x64	12.3		9.4 TS1M0
		Microsoft Windows Server 2008 R2	12.3		9.4 TS1M0
		Microsoft Windows 8 Pro x64	12.3		9.4 TS1M0
		Microsoft Windows 8 Enterprise x64	12.3		9.4 TS1M0
		Microsoft® Windows® for x64	12.3		9.4 TS1M0
		Microsoft Windows 10	12.3		9.4 TS1M0
		Microsoft Windows 8.1 Pro x64	12.3		9.4 TS1M0
		HP-UX IPF	12.3		9.4 TS1M0
		Linux for x64	12.3		9.4 TS1M0
		Solaris for x64	12.3		9.4 TS1M0

* For software releases that are not yet generally available, the Fixed Release is the software release in which the problem is planned to be fixed.

Type:	Problem Note
Priority:	medium

Date Modified:	2019-12-19 10:58:20
Date Created:	2019-12-03 12:36:56

Support

Problem Note 65192: Possible security vulnerability involving the ARBOR procedure when nominal target variable has double-byte formatted values that exceed 256 characters

Operating System and Release Information