Severity: High

Description: SAS Viya 3.5 contains a file that is affected by the CVE-2024-22243 and CVE-2024-38828 vulnerabilities. 

Potential Impact: Information about the potential impact is located at CVE-2024-22243 and CVE-2024-38828. 

Circumvention

Complete the following steps to circumvent these vulnerabilities and avoid negative impact to the SAS system:

1. Move or remove the /opt/sas/viya/home/libexec/elasticsearch-secure/plugins/opensearch-sql directory.
2. Run the following to restart OpenSearch: sudo systemctl restart sas-viya-svi-elasticsearch-default
3. Verify that the plug-in is no longer included in the list of loaded plug-ins on start-up by checking the OpenSearch log file: /var/log/sas/viya/svi-elasticsearch/sas-opensearch.log

No SAS hot fix is required for remediation. The instructions above resolve the vulnerabilities without negative impact to the SAS system.

Operating System and Release Information

Product Family	Product	System	Product Release		SAS Release
			Reported	Fixed*	Reported	Fixed*
SAS System	SAS Viya 3.x	Microsoft® Windows® for x64	3.5		Viya 3.5
		Linux for x64	3.5		Viya 3.5

* For software releases that are not yet generally available, the Fixed Release is the software release in which the problem is planned to be fixed.

---

An update for this issue is available for SAS Visual Investigator 10.8. For instructions on how to access and apply these software updates, see the documentation links at the top of

https://tshf.sas.com/techsup/download/hotfix/HF2/Viya_VI_10_8_home.html#71137

---

The following file in SAS Viya 3.5 is flagged by security scanners for the CVE-2024-22243 and/or CVE-2024-38828 security vulnerabilities: /opt/sas/viya/home/libexec/elasticsearch-secure/plugins/opensearch-sql/spring-core-5.3.27.jar

Type:	Problem Note
Priority:	high

Date Modified:	2025-02-25 16:14:22
Date Created:	2025-02-25 12:22:40