SAS Statement Regarding CVE 2014-3566 (the POODLE Vulnerability)

Reference Name: CVE 2014-3566 (the POODLE Vulnerability)
Severity: High
Status: Resolved, fixes are available

History

• 10-20-2014 – Fixes are available and recommended
• 10-16-2014 – Initial acknowledgement

Impact

As previously announced, SAS is aware of CVE 2014-3566 (the POODLE Vulnerability) made public October 14, 2014. We have been evaluating our systems and our products and report the following assessment and recommendations.

Assessment & Recommended Actions

Base SAS^®, SAS/CONNECT^® and SAS/SHARE^®

• The Secure Sockets Layer (SSL) capability in Foundation SAS products supports SSL 3.0 and thus it is susceptible to the POODLE vulnerability.
• The full details of possible vulnerability are documented in SAS Note 54374.
• Please contact SAS Technical Support and reference SAS Note 54374 to obtain a hot fix for these products.

SAS^® Web Server, SAS^® Web Application Server & SAS^® Environment Manager

• If you configure the SAS Web Server, the SAS Web Application Server, or the SAS Environment Manager for HTTPS, Secure Sockets Layer (SSL) 3.0 is enabled by default and you may be exposed to the security vulnerability.
• Customers can disable SSL 3.0 in the 9.4 SAS servers; no new code or hot fix is needed to remove the vulnerability. Follow the steps in SAS Note 54376 to edit configuration files to disable use of the SSLv3 and SSLv2 protocols.
• SSL 3.0 is enabled by default for SAS Environment Manager Agent. See SAS Note 56054 for details.
• Prior to SAS^® 9.4, customers installed a Web Server and Web Application Server of choice (WebLogic, WebSphere, JBOSS). Customers running a SAS^® middle tier version 9.3 or earlier should contact their vendor for advice on resolving the security vulnerability described as POODLE.

Host-Based Authentication Using LDAPS

• Customers using Secure Sockets Layer (SSL) 3.0 with LDAPS for SAS authentication are susceptible to the vulnerability. Use the information in SAS Note 54395 to disable the use of SSL 3.0.

SAS^® Solutions OnDemand Customers

• SAS Solutions OnDemand will be contacting customers the week of October 20, 2014 with details on any necessary updates.
• In the meantime, if you have questions about your hosted SAS products or environment not covered in the information above, you should contact SAS Technical Support.

October 16, 2014

SAS is aware of the POODLE vulnerability involving SSL v3 that was announced October 14, 2014 (CVE-2014-3566). We are taking steps to ensure our servers are protected from attacks. We are also evaluating our portfolio of products so that we can recommend an appropriate course of action, if necessary.

We will continue to update this bulletin as we have more information to share with our customers. Bookmark this page and check back for updated information.