SAS Product Security

Latest bulletins and updates

Security Bulletins

Title Release Date Severity Description
SeverityCVSS 3.0 Range
Low0.1 - 3.9
Medium4.0 - 6.9
High7.0 - 8.9
Critical9.0 - 10.0

Note: Hot fixes for each product component are cumulative and might include functionality fixes in addition to security fixes. For a list of hot fixes that are available for your products, use the the SAS Hot Fix Analysis, Download & Deployment (SASHFADD) tool.  See the Hot Fix FAQ for a general overview of hot fixes.

Java 7 Updates

SAS continues to use and support a private Java 7 JRE for SAS 9.4 and SAS 9.3M2 deployments.
See SAS Third-Party Software Requirements – Java 7 Updates for details.
See also SAS Note 56203 for the most recent updates to the Java 7 JREs and JDKs.

Product Security Incident Response Team

To keep you informed about any suspected or confirmed security issues, SAS publishes security bulletins and SAS Notes as part of our formal Product Security Incident Response Team (PSIRT) process.

Customers who have SAS support contracts should report a suspected security issue by opening a track with SAS Technical Support.  Security researchers or others who do not have a support contract can contact PSIRT directly by sending email to Information about security vulnerabilities should be encrypted by using our public Pretty Good Privacy (PGP) key.

Back to Top