Problem Note 70345: SAS® Risk Governance Framework contains an Improper Privilege Management vulnerability
 |  |  |  |
Severity: High
Description: SAS® Risk Stratum requires that users who execute the Initialize Cycle step must be in the "RGF DB Users" group.
From the Risk Stratum Cookbook:
Any user that needs to access the SAS Risk Governance Framework database should be a member of the RGF DB Users group. This includes any user that needs to execute the Initialize Cycle step of the Cycle workflow, as this step requires accessing the SAS Risk Governance Framework database.
If the user is not in that group, the following error occurs in the execution log for the Initialize Cycle step:
ERROR: Error in the LIBNAME statement.
The default user account for the RGF DB Users is used for underlying database connections. Therefore, this is an account with elevated privileges. As a result, any user in the RGF DB Users group has the ability to delete rows and tables from the RGF DB through any database connection tool such as SAS® Enterprise Guide® or SAS® Studio.
Contact SAS Technical Support for possible mitigation actions that can be provided on case-by-case basis.
Potential Impact: CWE-269: Improper Privilege Management
Operating System and Release Information
| Product Family | Product | System | SAS Release | |
| Reported | Fixed* | |||
| SAS System | SAS Risk Stratum | Microsoft® Windows® for x64 | 9.4 TS1M7 | |
| Linux for x64 | 9.4 TS1M7 | |||