Problem Note 65716: SAS® BI Dashboard contains a remote code-execution vulnerability
 |  |  |  |  |
Severity: High
Description: SAS BI Dashboard contains a remote code-execution vulnerability via de-serialization of AMF payload.
Potential Impact: An authenticated SAS® software user might execute system commands on the host server.
Click the Hot Fix tab in this note to access the hot fix for this issue.
Operating System and Release Information
| Product Family | Product | System | Product Release | SAS Release | ||
| Reported | Fixed* | Reported | Fixed* | |||
| SAS System | SAS BI Dashboard | Solaris for x64 | 4.4_M6 | 9.4 TS1M6 | ||
| Linux for x64 | 4.4_M6 | 9.4 TS1M6 | ||||
| HP-UX IPF | 4.4_M6 | 9.4 TS1M6 | ||||
| 64-bit Enabled Solaris | 4.4_M6 | 9.4 TS1M6 | ||||
| 64-bit Enabled AIX | 4.4_M6 | 9.4 TS1M6 | ||||
| Microsoft® Windows® for x64 | 4.4_M6 | 9.4 TS1M6 | ||||
A fix for this issue for SAS BI Dashboard 4.4_M6 is available at:
https://tshf.sas.com/techsup/download/hotfix/HF2/H4L.html#65716
An authenticated attacker can submit crafted AMF for deserialization, bypassing filters.
| Type: | Problem Note |
| Priority: | high |
| Date Modified: | 2020-04-09 09:44:49 |
| Date Created: | 2020-03-20 11:03:17 |