SUPPORT

Select Your Region

Visit the Cary, NC, US corporate headquarters site

Americas

Europe

Middle East & Africa

Asia Pacific

View our worldwide contacts list for help finding your region

Americas

Europe

Middle East & Africa

Asia Pacific

Sign In

Get access to My SAS, trials, communities and more.

Sign Out

Get access to My SAS, trials, communities and more.

SAS Sites

sas.com
Support
Blogs
Communities
Developer
Curiosity
Videos

Documentation

Learn
Brand
PartnerNet
Merchandise
SUPPORT / SAMPLES & SAS NOTES
 

Support

Problem Note 65192: Possible security vulnerability involving the ARBOR procedure when nominal target variable has double-byte formatted values that exceed 256 characters

DetailsHotfixAboutRate It

Title: Possible security vulnerability involving the ARBOR procedure when nominal target variable has double-byte formatted values that exceed 256 characters


Severity: Medium
 

Description: In SAS® Enterprise Miner™, running a node that fails with an access violation might create a possible security vulnerability.  The problem occurs when all of these conditions are true.

  • The node invokes PROC ARBOR code.  Examples: Impute, Interactive Grouping, Decision Tree, Gradient Boosting, SAS Code. 
  • You specify a nominal target.
  • Your target variable uses double-byte formatting.
  • Your target variable has double-byte formatted values that exceed 256 characters.
  • The node fails with an access violation.

To avoid the problem, do not exceed 256 characters.

 

Potential Impact: The above condition could result in a lack of confidentiality, integrity, and/or
availability that might result in a cyber incident/cyber breach.

 

 



Operating System and Release Information

Product FamilyProductSystemProduct ReleaseSAS Release
ReportedFixed*ReportedFixed*
SAS SystemSAS Enterprise MinerMicrosoft Windows 8.1 Pro 32-bit12.39.4 TS1M0
Microsoft Windows 8.1 Enterprise x6412.39.4 TS1M0
Microsoft Windows 8.1 Enterprise 32-bit12.39.4 TS1M0
64-bit Enabled Solaris12.39.4 TS1M0
64-bit Enabled AIX12.39.4 TS1M0
Windows 7 Professional x6412.39.4 TS1M0
Windows 7 Enterprise x6412.39.4 TS1M0
Microsoft Windows Server 2012 Std12.39.4 TS1M0
Microsoft Windows Server 2012 R2 Std12.39.4 TS1M0
Microsoft Windows Server 2012 R2 Datacenter12.39.4 TS1M0
Microsoft Windows Server 2012 Datacenter12.39.4 TS1M0
Microsoft Windows Server 2008 for x6412.39.4 TS1M0
Microsoft Windows Server 2008 R212.39.4 TS1M0
Microsoft Windows 8 Pro x6412.39.4 TS1M0
Microsoft Windows 8 Enterprise x6412.39.4 TS1M0
Microsoft® Windows® for x6412.39.4 TS1M0
Microsoft Windows 1012.39.4 TS1M0
Microsoft Windows 8.1 Pro x6412.39.4 TS1M0
HP-UX IPF12.39.4 TS1M0
Linux for x6412.39.4 TS1M0
Solaris for x6412.39.4 TS1M0
* For software releases that are not yet generally available, the Fixed Release is the software release in which the problem is planned to be fixed.