Severity: High

Description: SAS Web Application Server 9.46 contains these third-party Java libraries with known vulnerabilities:

• CVE-2020-28052: Bouncy Castle Crypto package 1.65 (bcprov-jdk15on-1.65.jar)
• CVE-2020-13956: Apache HttpClient 4.5.12 (httpclient-4.5.12.jar)

Potential Impact: The impact might vary by the vulnerabilities. For details, see the CVE links listed in the previous section.

Resolution: To address this problem, you must first upgrade the SAS Web Application Server to version 9.47, and then manually delete the vulnerable JAR files. 

Upgrading the SAS Web Application Server to Version 9.47

SAS Web Application Server 9.47 is provided as a release, not as a hot fix. Therefore, to upgrade SAS Web Application Server, you must update the SAS environment using the SAS^® 9.4M7 (TS1M7), Rev. 940_22w08 or later.

• To check the currently installed SAS Web Application Server version, follow the instructions in SAS KB0036131 to generate the registry report (DeploymentRegistry.txt) in the middle-tier server. In the registry report, the version number is listed in the Version field of the product tcsvr as shown below. If the version number is 9.46 or lower, you need to upgrade to 9.47:

• For instructions on updating the SAS environment, review SAS^® 9.4 Guide to Software Updates and Product Changes.

Removing the Vulnerable JAR Files after Upgrade

Once the SAS environment has been updated with SAS 9.4M7, Rev. 940_22w08 or later, you must manually delete the bcprov-jdk15on-1.65.jar and httpclient-4.5.12.jar files from the following locations:

• SASHome/SASWebApplicationServer/9.4/tomcat-7.0.106.A.RELEASE/
• SASHome/SASWebApplicationServer/9.4/tomcat-8.5.58.B.RELEASE/
• SASHome/SASWebApplicationServer/9.4-1/9.4/
• SASHome/SASWebApplicationServerBackup[date]/

Operating System and Release Information