65934 - Hot fixes that are available to update Apache HTTP Server (httpd), OpenSSL, and Apache Tomcat versions in SAS® 9.4 and SAS® Viya® 3.5

Usage Note 65934: Hot fixes that are available to update Apache HTTP Server (httpd), OpenSSL, and Apache Tomcat versions in SAS® 9.4 and SAS® Viya® 3.5

When you run automated vulnerability scanners in your SAS 9.4 environments, outdated versions of Apache HTTP Server (httpd), OpenSSL, or Apache Tomcat are sometimes identified.

To determine the appropriate hot fix to update the identified component, you must follow these steps:

Collect the SAS versions and maintenance-release information for the relevant environment. You can use PROC SETINIT for this task. Also, generate a SAS Deployment Registry using the instructions in SAS KB0036131.
Review the DeploymentRegistry.txt or DeploymentRegistry.html file and confirm which hot fixes are currently installed.
See the tables below for the appropriate hot fixes and download/install them.
You can compare publicly available information about vulnerabilities, such as version numbers that resolve a given vulnerability, to the version numbers provided in the SAS Note to determine whether a vulnerability is patched.
Search the Security Bulletins and Vulnerability Notes sections on the SAS Product Security Bulletins page for the vulnerability that you are investigating, and apply the patches or workarounds that are provided. If you do not find a solution, open a case and detail the vulnerability and affected files/ports.

**SAS^® Viya^® 3.5 Apache Web Server (Windows Only)**

**Applicable components: Apache httpd and OpenSSL**
Hot Fix	Apache httpd Version	OpenSSL Version
Upgrading Your SAS Viya Software	2.4.57	1.0.2zh

**SAS^® 9.4 Web Server**

**Applicable components: Apache httpd and OpenSSL**
SAS^® 9.4 Maintenance Release	Product Release	Current Hot Fix	Apache httpd Version	OpenSSL Version
M8	9.47	M1V006	2.4.63	3.0.16
M7	9.46	J8M011	2.4.62	1.0.2zj
M6	9.45	E8D009	2.4.62	1.0.2zj
M5	9.44	B7Q004	2.4.27	1.0.2o
M4	9.43	A7F006	2.4.27	1.0.2o
M3	9.42	V75010	2.4.27	1.0.2o
M2	9.41 or 9.4_M2	P90009	2.4.27	1.0.2o
M1	9.4M1	S48012	2.4.27	1.0.2o
M0	9.4M0	S46010	2.4.27	1.0.2o

**SAS^® Web Application Server**

**Applicable components: Apache Tomcat**
SAS^® 9.4 Maintenance Release	Product Release	Current Hot Fix	Apache Tomcat Version
M8	9.48	M3P008	9.0.107
M7 (22w08 and later)	9.47	M3B008	9.0.107
M7 (before 22w08)	9.46	I9U003	8.5.58
M6	9.45	E3V008	8.5.58
M5	9.44	B7P005	8.5.23
M4	9.43	B1C005	8.0.47
M3	9.42	W43008	7.0.82
M2	9.41	R94007	7.0.82
M1	N/A	N/A	N/A
M0	9.4	P38005	7.0.82

**SAS^® Environment Manager**

**Applicable components: Apache Tomcat**
SAS^® 9.4 Maintenance Release	Product Release	Current Hot Fix	Apache Tomcat Version
M8	2.5M5	M2T009	9.0.104
M7	2.5M4	J9V018	9.0.104
M6	2.5M3	E8M011	9.0.22
M5	2.5M2	B7R007	8.5.35
M4	2.5M1	A8X009	8.5.32
M3	2.5M0	V76019	8.5.32
M2	2.3M0	S45014	8.5.32
M1	2.1M1	S48012	8.5.32
M0	2.1M0	S46010	8.5.32

Operating System and Release Information

Product Family	Product	System	SAS Release
Product Family	Product	System	Reported	Fixed*
SAS System	SAS Web Server	Microsoft® Windows® for x64
		64-bit Enabled AIX
		64-bit Enabled Solaris
		HP-UX IPF
		Linux for x64
		Solaris for x64
SAS System	SAS Web Application Server	Microsoft® Windows® for x64
		64-bit Enabled AIX
		64-bit Enabled Solaris
		HP-UX IPF
		Linux for x64
		Solaris for x64
SAS System	SAS Environment Manager	Microsoft® Windows® for x64
		64-bit Enabled AIX
		64-bit Enabled Solaris
		HP-UX IPF
		Linux for x64
		Solaris for x64

* For software releases that are not yet generally available, the Fixed Release is the software release in which the problem is planned to be fixed.

Date Modified:	2025-07-01 11:08:09
Date Created:	2020-05-05 15:02:34

Type:	Usage Note
Priority:	low

Support

Usage Note 65934: Hot fixes that are available to update Apache HTTP Server (httpd), OpenSSL, and Apache Tomcat versions in SAS® 9.4 and SAS® Viya® 3.5

Operating System and Release Information