Product Statement Regarding Heartbleed
SAS is aware of the Heartbleed Bug and we are continuously evaluating our systems and our products so that we can implement or provide any necessary changes.
SAS has completed our assessment of any use of OpenSSL 1.0.1 by SAS as it relates to the Heartbleed vulnerability. Our findings are:
- SAS has assessed our externally-facing customer hosted systems and determined that they are not vulnerable to this issue.
- SAS has reviewed our externally-facing corporate IT systems, patched vulnerable systems, re-issued SSL keys where applicable, and are taking steps to address users of those affected systems.
- SAS does not have Heartbleed vulnerabilities with our external web sites.
- SAS has no issues with the software shipped in SAS 9.2 or SAS 9.3 because these versions do not include OpenSSL 1.0.1 software.
- SAS/SHARE software and SAS/CONNECT software encryption is not impacted by this issue.
- The SOAP and HTTP procedures are not impacted by this issue.
- SAS has determined that our SAS 9.4 Web Server includes OpenSSL 1.0.1. A hot fix is available. All customers who have installed SAS 9.4 Web Server and configured it for the Secure Sockets Layer (SSL) are vulnerable. Refer to the SAS Note 52725 for more information and to download the hot fix.
- SAS DataFlux Secure does not deliver OpenSSL with the software. However, some customers may have implemented the Secure Socket Layer (SSL) to protect HTTP connections. If you are a DataFlux Secure customer, read SAS Note 52743 for more information.
If you have concerns or questions, please contact your SAS account representative or SAS Technical Support.