65983 - The LUA procedure contains an authorization-bypass vulnerability

Problem Note 65983: The LUA procedure contains an authorization-bypass vulnerability

Severity: High

Description: PROC LUA contains a vulnerability that allows a user of SAS^® software to bypass the LOCKDOWN option.

Potential Impact: A user can execute arbitrary code on the server.

Click the Hot Fix tab in this note to access the hot fix for this issue.

Note: On the Hot Fix tab are hot fixes that disable all of the operating-system library functions for PROC LUA when the procedure runs with the LOCKDOWN option. If you need to access the library functions, add the following line to your SAS AUTOEXEC_USERMODS file for the appropriate server:

lockdown enable_ams=LUA_ENABLE_OS;

Note: On the Hot Fix tab are hot fixes that disable all of the input/output library functions for PROC LUA when the procedure runs with the LOCKDOWN option. If you need to access the library functions, add the following line to your SAS AUTOEXEC_USERMODS file for the appropriate server:

lockdown enable_ams=LUA_ENABLE_IO;

Note: For SAS^® Viya^® 3.5, if running in a multi-tenant environment, modify the autoexec_usermods file that is specific to the tenant requiring the library functions.

Operating System and Release Information

Product Family	Product	System	Product Release		SAS Release
Product Family	Product	System	Reported	Fixed*	Reported	Fixed*
SAS System	Base SAS	z/OS 64-bit	9.4_M5	9.4_M7	9.4 TS1M5	9.4 TS1M7
		z/OS	9.4_M5	9.4_M7	9.4 TS1M5	9.4 TS1M7
		Microsoft® Windows® for x64	9.4_M5	9.4_M7	9.4 TS1M5	9.4 TS1M7
		Microsoft Windows 8 Enterprise 32-bit	9.4_M5	9.4_M7	9.4 TS1M5	9.4 TS1M7
		Microsoft Windows 8 Enterprise x64	9.4_M5	9.4_M7	9.4 TS1M5	9.4 TS1M7
		Microsoft Windows 8 Pro 32-bit	9.4_M5	9.4_M7	9.4 TS1M5	9.4 TS1M7
		Microsoft Windows 8 Pro x64	9.4_M5	9.4_M7	9.4 TS1M5	9.4 TS1M7
		Microsoft Windows 8.1 Enterprise 32-bit	9.4_M5	9.4_M7	9.4 TS1M5	9.4 TS1M7
		Microsoft Windows 8.1 Enterprise x64	9.4_M5	9.4_M7	9.4 TS1M5	9.4 TS1M7
		Microsoft Windows 8.1 Pro 32-bit	9.4_M5	9.4_M7	9.4 TS1M5	9.4 TS1M7
		Microsoft Windows 8.1 Pro x64	9.4_M5	9.4_M7	9.4 TS1M5	9.4 TS1M7
		Microsoft Windows 10	9.4_M5	9.4_M7	9.4 TS1M5	9.4 TS1M7
		Microsoft Windows Server 2008	9.4_M5		9.4 TS1M5
		Microsoft Windows Server 2008 R2	9.4_M5		9.4 TS1M5
		Microsoft Windows Server 2008 for x64	9.4_M5		9.4 TS1M5
		Microsoft Windows Server 2012 Datacenter	9.4_M5	9.4_M7	9.4 TS1M5	9.4 TS1M7
		Microsoft Windows Server 2012 R2 Datacenter	9.4_M5	9.4_M7	9.4 TS1M5	9.4 TS1M7
		Microsoft Windows Server 2012 R2 Std	9.4_M5	9.4_M7	9.4 TS1M5	9.4 TS1M7
		Microsoft Windows Server 2012 Std	9.4_M5	9.4_M7	9.4 TS1M5	9.4 TS1M7
		Microsoft Windows Server 2016	9.4_M5	9.4_M7	9.4 TS1M5	9.4 TS1M7
		Windows 7 Enterprise 32 bit	9.4_M5	9.4_M7	9.4 TS1M5	9.4 TS1M7
		Windows 7 Enterprise x64	9.4_M5	9.4_M7	9.4 TS1M5	9.4 TS1M7
		Windows 7 Home Premium 32 bit	9.4_M5	9.4_M7	9.4 TS1M5	9.4 TS1M7
		Windows 7 Home Premium x64	9.4_M5	9.4_M7	9.4 TS1M5	9.4 TS1M7
		Windows 7 Professional 32 bit	9.4_M5	9.4_M7	9.4 TS1M5	9.4 TS1M7
		Windows 7 Professional x64	9.4_M5	9.4_M7	9.4 TS1M5	9.4 TS1M7
		Windows 7 Ultimate 32 bit	9.4_M5	9.4_M7	9.4 TS1M5	9.4 TS1M7
		Windows 7 Ultimate x64	9.4_M5	9.4_M7	9.4 TS1M5	9.4 TS1M7
		64-bit Enabled AIX	9.4_M5	9.4_M7	9.4 TS1M5	9.4 TS1M7
		64-bit Enabled Solaris	9.4_M5	9.4_M7	9.4 TS1M5	9.4 TS1M7
		HP-UX IPF	9.4_M5	9.4_M7	9.4 TS1M5	9.4 TS1M7
		Linux for x64	9.4_M5	9.4_M7	9.4 TS1M5	9.4 TS1M7
		Solaris for x64	9.4_M5	9.4_M7	9.4 TS1M5	9.4 TS1M7

* For software releases that are not yet generally available, the Fixed Release is the software release in which the problem is planned to be fixed.

Type:	Problem Note
Priority:	high

Date Modified:	2022-02-11 11:35:43
Date Created:	2020-05-14 09:48:33

Support

Problem Note 65983: The LUA procedure contains an authorization-bypass vulnerability

Operating System and Release Information