Severity: Medium

Description: The following versions of PostgreSQL are used as the underlying technology for the SAS Infrastructure Data Server in SAS Viya 3.5:

• PostgreSQL 11.x
• PostgreSQL 15.x

These versions of PostgreSQL have the following known security vulnerabilities:

• Vulnerability Summary for CVE-2024-0985
• Vulnerability Summary for CVE-2023-5870
• Vulnerability Summary for CVE-2023-5869
• Vulnerability Summary for CVE-2023-5868
• Vulnerability Summary for CVE-2023-39417
• Vulnerability Summary for CVE-2023-2455
• Vulnerability Summary for CVE-2023-2454
• Vulnerability Summary for CVE-2022-37434
• Vulnerability Summary for CVE-2022-2625
• Vulnerability Summary for CVE-2021-32029
• Vulnerability Summary for CVE-2021-32028
• Vulnerability Summary for CVE-2021-32027
• Vulnerability Summary for CVE-2021-23222
• Vulnerability Summary for CVE-2021-23214
• Vulnerability Summary for CVE-2021-3677
• Vulnerability Summary for CVE-2021-3393
• Vulnerability Summary for CVE-2020-25696
• Vulnerability Summary for CVE-2020-25695
• Vulnerability Summary for CVE-2020-25694
• Vulnerability Summary for CVE-2020-14350
• Vulnerability Summary for CVE-2020-14349
• Vulnerability Summary for CVE-2020-10733
• Vulnerability Summary for CVE-2020-1720

Potential Impact:

• Role "pg_signal_backend" can signal certain superuser processes.
• Buffer overrun from integer overflow exists in array modification.
• Memory disclosure occurs in aggregate function calls.
• An authenticated attacker could use this flaw in certain configurations to perform drop objects, leading to database corruption.
• An authenticated attacker could use this flaw in an attack in order to execute arbitrary SQL commands in the context of the user used for replication.
• An attacker with sufficient privileges could use this flaw to trick an administrator into executing a specially crafted script, during the installation or update of such extension.
• An opportunity for a man-in-the-middle attack or the ability to observe clear text transmissions.
• Creation of non-temporary objects can execute arbitrary SQL functions under the identity of a super user.
• Buffer overrun from integer overflow in array subscripting calculations.
• Memory disclosure in INSERT ... ON CONFLICT ... DO UPDATE.
• Memory disclosure in partitioned-table UPDATE ... RETURNING.

SAS supports all versions of the database delivered with the product but only the latest version, PostgreSQL 15.x, continues to receive security fixes from the PostgreSQL community.

SAS recommends upgrading to PostgreSQL 15.x by following the instructions in Upgrading PostgreSQL in SAS Viya.

To determine whether you need a new order for this upgrade, you might need to reference the following:

SAS KB0037227, "Determine whether you need a new order for PostgreSQL 15 on SAS® Viya® 3.5 (Linux)"

SAS KB0037228, "Determine whether you need a new order for PostgreSQL 15 on SAS® Viya® 3.5 (Windows)"

After you upgrade PostgreSQL to 15.x and then update to 15.6 by applying this hot fix, all of these security concerns will be addressed.

Note: After the upgrade, the previous PostgreSQL binaries and RPMs will remain on the system and should not be removed. Removing them will cause the environment to become unstable because it has the potential to remove components of the SAS Infrastructure Data Server. They are also used in future upgrade checks.

Click the Hot Fix tab in this note for a link to instructions about accessing and applying the software update.

Operating System and Release Information

Viya on Windows: An update for this issue is available for SAS Viya 3.5. For instructions on how to access and apply software updates, see the Updating Your SAS Viya software section in the SAS Viya 3.5 for Windows Deployment Guide at

Viya on Linux: An update for this issue is available for SAS Viya 3.5. For instructions on how to access and apply software updates, see the Updating Your SAS Viya software section in the SAS Viya 3.5 for Linux Deployment Guide at