68791 - A security vulnerability can occur with the X12 or X13 procedures when the FORCE=TOTALS or FORCE=BOTH option is specified

Problem Note 68791: A security vulnerability can occur with the X12 or X13 procedures when the FORCE=TOTALS or FORCE=BOTH option is specified

Severity: High

Description: If the FORCE=TOTALS or FORCE=BOTH option is specified in the X11 statement, and the time series span is more than 186 years, PROC X12 or PROC X13 might cause SAS^® to terminate or stop processing with the following errors:

ERROR:  An exception has been encountered.

Please contact technical support and provide them with the following traceback information:

The SAS task name is [X12]

ERROR:  Read Access Violation X12

Exception occurred at (25E1D580)

Task Traceback

There is no circumvention for this problem.

Potential Impact: The resulting read access violation introduces a potential security risk.

Click the Hot Fix tab in this note to access the hot fix for this issue.

Operating System and Release Information

Product Family	Product	System	Product Release		SAS Release
Product Family	Product	System	Reported	Fixed*	Reported	Fixed*
SAS System	SAS/ETS	HP-UX IPF	13.2	15.3	9.4 TS1M2	9.4 TS1M8
		Microsoft Windows 8 Enterprise 32-bit	13.2	15.3	9.4 TS1M2	9.4 TS1M8
		Microsoft® Windows® for x64	13.2	15.3	9.4 TS1M2	9.4 TS1M8
		Solaris for x64	13.2	15.3	9.4 TS1M2	9.4 TS1M8
		Linux for x64	13.2	15.3	9.4 TS1M2	9.4 TS1M8
		64-bit Enabled Solaris	13.2	15.3	9.4 TS1M2	9.4 TS1M8
		Windows 7 Ultimate x64	13.2	15.3	9.4 TS1M2	9.4 TS1M8
		Windows 7 Professional x64	13.2	15.3	9.4 TS1M2	9.4 TS1M8
		Windows 7 Home Premium x64	13.2	15.3	9.4 TS1M2	9.4 TS1M8
		Windows 7 Home Premium 32 bit	13.2	15.3	9.4 TS1M2	9.4 TS1M8
		Windows 7 Enterprise 32 bit	13.2	15.3	9.4 TS1M2	9.4 TS1M8
		Microsoft Windows Server 2012 Std	13.2	15.3	9.4 TS1M2	9.4 TS1M8
		Microsoft Windows Server 2012 R2 Std	13.2	15.3	9.4 TS1M2	9.4 TS1M8
		Microsoft Windows Server 2012 R2 Datacenter	13.2	15.3	9.4 TS1M2	9.4 TS1M8
		Microsoft Windows Server 2012 Datacenter	13.2	15.3	9.4 TS1M2	9.4 TS1M8
		Microsoft Windows Server 2008 for x64	13.2	15.3	9.4 TS1M2	9.4 TS1M8
		Microsoft Windows Server 2008	13.2	15.3	9.4 TS1M2	9.4 TS1M8
		Microsoft Windows 8.1 Pro x64	13.2	15.3	9.4 TS1M2	9.4 TS1M8
		Microsoft Windows 8.1 Enterprise x64	13.2	15.3	9.4 TS1M2	9.4 TS1M8
		Microsoft Windows 8 Pro x64	13.2	15.3	9.4 TS1M2	9.4 TS1M8
		Microsoft Windows 8 Pro 32-bit	13.2	15.3	9.4 TS1M2	9.4 TS1M8
		Microsoft Windows 8 Enterprise x64	13.2	15.3	9.4 TS1M2	9.4 TS1M8
		z/OS	13.2	15.3	9.4 TS1M2	9.4 TS1M8
		64-bit Enabled AIX	13.2	15.3	9.4 TS1M2	9.4 TS1M8
		Windows 7 Ultimate 32 bit	13.2	15.3	9.4 TS1M2	9.4 TS1M8
		Windows 7 Professional 32 bit	13.2	15.3	9.4 TS1M2	9.4 TS1M8
		Windows 7 Enterprise x64	13.2	15.3	9.4 TS1M2	9.4 TS1M8
		Microsoft Windows Server 2008 R2	13.2	15.3	9.4 TS1M2	9.4 TS1M8
		Microsoft Windows 10	13.2	15.3	9.4 TS1M2	9.4 TS1M8
		Microsoft Windows 8.1 Pro 32-bit	13.2	15.3	9.4 TS1M2	9.4 TS1M8
		Microsoft Windows 8.1 Enterprise 32-bit	13.2	15.3	9.4 TS1M2	9.4 TS1M8

* For software releases that are not yet generally available, the Fixed Release is the software release in which the problem is planned to be fixed.

Type:	Problem Note
Priority:	high
Topic:	Analytics ==> Econometrics Analytics ==> Time Series Analysis SAS Reference ==> Procedures ==> X12 SAS Reference ==> Procedures ==> X13

Date Modified:	2022-06-15 12:54:46
Date Created:	2022-01-14 15:45:43

Support

Problem Note 68791: A security vulnerability can occur with the X12 or X13 procedures when the FORCE=TOTALS or FORCE=BOTH option is specified

Operating System and Release Information