Problem Note 71137: SAS® Viya® 3.5 contains a file that is affected by Elasticsearch vulnerabilities CVE-2024-22243 and CVE-2024-38828
 |  |  |  |  |
Severity: High
Description: SAS Viya 3.5 contains a file that is affected by the CVE-2024-22243 and CVE-2024-38828 vulnerabilities.
Potential Impact: Information about the potential impact is located at CVE-2024-22243 and CVE-2024-38828.
Circumvention
Complete the following steps to circumvent these vulnerabilities and avoid negative impact to the SAS system:
- Move or remove the /opt/sas/viya/home/libexec/elasticsearch-secure/plugins/opensearch-sql directory.
- Run the following to restart OpenSearch: sudo systemctl restart sas-viya-svi-elasticsearch-default
- Verify that the plug-in is no longer included in the list of loaded plug-ins on start-up by checking the OpenSearch log file: /var/log/sas/viya/svi-elasticsearch/sas-opensearch.log
No SAS hot fix is required for remediation. The instructions above resolve the vulnerabilities without negative impact to the SAS system.
Operating System and Release Information
| Product Family | Product | System | Product Release | SAS Release | ||
| Reported | Fixed* | Reported | Fixed* | |||
| SAS System | SAS Viya 3.x | Microsoft® Windows® for x64 | 3.5 | Viya 3.5 | ||
| Linux for x64 | 3.5 | Viya 3.5 | ||||
An update for this issue is available for SAS Visual Investigator 10.8. For instructions on how to access and apply these software updates, see the documentation links at the top of
https://tshf.sas.com/techsup/download/hotfix/HF2/Viya_VI_10_8_home.html#71137
The following file in SAS Viya 3.5 is flagged by security scanners for the CVE-2024-22243 and/or CVE-2024-38828 security vulnerabilities:
/opt/sas/viya/home/libexec/elasticsearch-secure/plugins/opensearch-sql/spring-core-5.3.27.jar
| Type: | Problem Note |
| Priority: | high |
| Date Modified: | 2025-02-25 16:14:22 |
| Date Created: | 2025-02-25 12:22:40 |