Severity: Medium

Description: In SAS Viya 3.5, the default database (PostgreSQL) for the SAS Infrastructure Data Server uses MD5 authentication. Applying the latest fixes for SAS Viya 3.5 allows users to upgrade the PostgreSQL database to version 11.x by running the sas-pgupgrade-cli utility.

If the PostgreSQL database is upgraded, the SAS Viya 3.5 playbook (site.yml) must be run again to reconfigure the authentication method. After a successful playbook run, the database and all the current user passwords in the database are converted to use SCRAM-SHA-256.

Multi-tenant deployments require extra steps to complete the user password updates. Instructions for updating these passwords can be found in Upgrade Tenant Database User Passwords to the scram-sha-256 Encryption Standard.

For complete instructions to upgrade the database and passwords in SAS Viya 3.5, see Upgrading PostgreSQL in SAS Viya.

Potential Impact: Switching from MD5 to SCRAM-SHA-256 hardens the hashing method currently used by MD5, making it more difficult for a brute force attack to decipher passwords.

Click the Hot Fix tab in this note for a link to instructions about accessing and applying the software update.

Operating System and Release Information

Viya on Linux: An update for this issue is available for SAS Viya 3.5. For instructions on how to access and apply software updates, see the Updating Your SAS Viya software section in the SAS Viya 3.5 for Linux Deployment Guide at