SAS Statement Regarding Java Deserialization Vulnerability

Reference Name: Java Deserialization Vulnerability
Severity: Critical
Status: Resolved for SAS releases as noted below


History

  • 10-18-2016 – Additional fixes for all SAS 9.4 deployments are available and recommended
  • 4-19-2016 – Security fixes for all SAS 9.4 deployments are available
  • 3-30-2016 – Interim update
  • 2-15-2016 – Security fixes for SAS 9.4M3 deployments are available
  • 11-20-2015 – Initial acknowledgement

Impact

SAS is aware of several vulnerabilities that are generally described as "deserialization of untrusted data." If you are running a SAS deployment that includes a web server or web application servers (sometimes described as a SAS middle tier) and your deployment is connected to an external internet, you are strongly encouraged to apply the most current Java deserialization fixes soon, even if you have applied the previously available Java deserialization vulnerability security fixes.

If you are running an older SAS release, prior to SAS 9.4, you are encouraged to consider upgrading to a current SAS release.

You should consider applying security fixes soon to any SAS deployment, because it is possible to execute Java code in Base SAS.

Description

The Java deserialization vulnerability, as noted by Apache in November 2015, is a type of Remote Execution vulnerability. This issue, which has been described as a Java Deserialization vulnerability and as an Apache Commons vulnerability, belongs to a more general class of vulnerabilities called 'deserialization of untrusted data'.

SAS continually evaluates our software portfolio, and we have determined that some products that leverage 3rd party software are affected. SAS has issued a collective set of Java Deserialization fixes. Related vulnerabilities, including Apache ActiveMQ and XXE (XML eXternal entity), are addressed in this set of security fixes. SAS continues to encourage you to inspect code you have written and evaluate potential vulnerabilities, especially Java code or code that interfaces with Java.

The XXE (XML eXternal entity) vulnerability is described in CVE 2013-4152.

ActiveMQ vulnerabilities are described in CVE-2015-5254, and CVE-2015-1830. The SAS JMS Broker leverages ActiveMQ capabilities.

Solution

**Update** - January 9, 2019 

Fixes for Java deserialization vulnerabilities are now included as part of the SAS Security Updates (starting with SAS Security Update 2017-19). Those updates are available on the SAS Security Updates and Hot Fixes web page. See the SAS Security Updates and Hot Fixes documentation to select and apply the appropriate fix(es) for your SAS software. SAS Technical Support also highly recommends that you upgrade to the latest maintenance level in order to ensure that you receive future security updates.

October 18, 2016

Updated Java deserialization fixes for SAS 9.4 releases (9.4M0, 9.4M1, 9.4M2, 9.4M3) are available. All customers are encouraged to apply the updated security fixes associated with the Java Deserialization vulnerability soon, even if you have applied the previously available Java deserialization vulnerability security fixes.

New fixes for the ActiveMQ and XXE vulnerabilities are included in this security fix. These fixes are available at the same site referenced in previous Java Deserialization statements.

Please review and follow the streamlined instructions for the update process documented on the Java Deserialization security hot-fix site.

Use the SAS Hot Fix Analysis, Download and Deployment Tool (SASHFADD) to create a list of additional hot fixes available for your deployment. Documentation and links are available in the SASHFADD Download Page.

April 19, 2016

Java Deserialization security fixes for all SAS 9.4 releases are available from the security hot-fix site. Customers who are running SAS 9.3 should bookmark this page and check back for information about fixes.

March 31, 2016

Java Deserialization security fixes for all SAS 9.4 releases are pending, and are expected to be available soon from this security-fix site. Customers who are running SAS 9.3 should bookmark this page and check back for information about fixes.

February 15, 2016

Java Deserialization security fixes for the current maintenance release SAS 9.4M3 are available here. Customers should retrieve the documentation and security fixes from this security-fix site. By the end of Q1, SAS will assess the target timeframes for delivering fixes for other SAS releases.

November 10, 2015

SAS is aware of the Java deserialization vulnerability, as noted in early November 2015 by Apache. We are taking steps to ensure our servers are protected from attacks. We are also evaluating our portfolio of products so that we can recommend an appropriate course of action, if necessary. We will continue to update this bulletin as we have more information to share with our customers. Bookmark this page and check back for updated information.

Mitigation options

  • Reduce risk by monitoring, and/or limiting, access to the deployment from external networks
  • Apply SAS updates as soon as they are available

Security Bulletins

View other security bulletins, published as part of our formal PSIRT process.

Technical Support

Get world-class technical support via our support track system.

Samples & SAS Notes

Search our extensive Knowledge Base for code samples and SAS Notes.