Severity: Medium

Description: The following versions of pgpool-II are used with the underlying technology for the SAS^® Infrastructure Data Server on SAS Viya 3.5:

• pgpool-II 4.0.6
• pgpool-II 4.0.17

These versions of pgpool-II have the following known security vulnerabilities:

• allows for non-compliant protocols 
• allows for weak ciphers
• allows for null ciphers

Potential Impact:

• Weak ciphers can result in a malicious actor decrypting data that contains sensitive information, potentially leading to a complete compromise of confidentiality and integrity.

Updating pgpool-II from 4.0.6 / 4.0.17 to 4.4.4 addresses all of these security concerns.

Applying this update also removes the NULL-SHA256 and AES-CBC ciphers on ports 5431 and 5432 for releases on 23w44 or later using any version of PgPool or PostgreSQL.

To determine whether you need a new order, see SAS KB0037227, "Determine whether you need a new order for PostgreSQL 15 on SAS® Viya® 3.5 (Linux)."

Click the Hot Fix tab in this note for a link to instructions about accessing and applying the software update. 

Note, for these changes to take effect, you must run the FULL playbook, not an UPDATE-ONLY install.

Operating System and Release Information

Viya on Windows: An update for this issue is available for SAS Viya 3.5. For instructions on how to access and apply software updates, see the Updating Your SAS Viya software section in the SAS Viya 3.5 for Windows Deployment Guide at

Viya on Linux: An update for this issue is available for SAS Viya 3.5. For instructions on how to access and apply software updates, see the Updating Your SAS Viya software section in the SAS Viya 3.5 for Linux Deployment Guide at