Severity: Medium

Description: The following version of the PostgreSQL ODBC driver is used as the underlying technology for the SAS^® Infrastructure Data Server in SAS Viya 3.5:

• PostgreSQL 11.x (SAS Viya)
• PostgreSQL 12.x (SPRE)

This version of the PostgreSQL ODBC driver has the following known security vulnerabilities:

• Vulnerability Summary for CVE-2021-20229
• Vulnerability Summary for CVE-2021-3393
• Vulnerability Summary for CVE-2022-37434

Potential Impact:

• Users that have UPDATE but not SELECT permission might still be able to obtain information from Write-only columns.
• Users that have SELECT permission on only certain columns might still be able to gain information from all columns.

Updating the PostgreSQL ODBC driver from 11.x to 11.01 (SAS Viya) and PostgreSQL ODBC from 12.x to 12.02 (SPRE) addresses all of these security concerns.

Click the Hot Fix tab in this note for a link to instructions about accessing and applying the software update.

Operating System and Release Information

Viya on Windows: An update for this issue is available for SAS Viya 3.5. For instructions on how to access and apply software updates, see the Updating Your SAS Viya software section in the SAS Viya 3.5 for Windows Deployment Guide at

Viya on Linux: An update for this issue is available for SAS Viya 3.5. For instructions on how to access and apply software updates, see the Updating Your SAS Viya software section in the SAS Viya 3.5 for Linux Deployment Guide at