Select Your Region

Visit the Cary, NC, US corporate headquarters site

Americas

Europe

Middle East & Africa

Asia Pacific

View our worldwide contacts list for help finding your region

Americas

Europe

Middle East & Africa

Asia Pacific

Sign In

Get access to My SAS, trials, communities and more.

Sign Out

Get access to My SAS, trials, communities and more.

SAS Sites

sas.com
Support
Blogs
Communities
Developer
Curiosity
Videos
Merchandise
Brand
PartnerNet

SAS Product Security

Latest bulletins and updates

Security Bulletins

Title Date Severity Description CVE
RSS Feed of Security Bulletins
SeverityCVSS Range
Informational0.0
Low0.1 - 3.9
Medium4.0 - 6.9
High7.0 - 8.9
Critical9.0 - 10.0

Note: Hot fixes for each product component are cumulative and might include functionality fixes in addition to security fixes. For a list of hot fixes that are available for your products, use the the SAS Hot Fix Analysis, Download & Deployment (SASHFADD) tool.  See the Hot Fix FAQ for a general overview of hot fixes.

Note: SAS uses the latest version of the industry-standard CVSS system to calculate vulnerability severity. Select critical security issues in the CVSS 9.0-10.0 range will be provided for each release covered by Standard Support. Additionally, select high, medium, and low security issues will be provided in the most current release of the software. 

Note: To ensure that SAS customers have the latest security updates for SAS software, SAS recommends that customers install the most current release of the software, including maintenance and security hot fixes.

Java 7 and 8 Updates

SAS continues to use and support private Java 8 Java Runtime Environments (JREs) for SAS 9.4M6 and later deployments. SAS has stopped delivering new Java 7 updates due to the decision by Azul, SAS' Java vendor, to end "Commercial Support" of Java 7. SAS will continue to provide the last Java 7 update, which was released by SAS in August 2022.


See SAS Third-Party Software Requirements for details.
See also SAS Note 56203 for the most recent updates to the Java 7 and Java 8 JREs and JDKs.

Vulnerability Notes

Title Date Severity Product

Product Security Incident Response Team

To keep you informed about any suspected or confirmed security issues, SAS publishes security bulletins and SAS Notes as part of our formal Product Security Incident Response Team (PSIRT) process.

Customers who have SAS support contracts should report a suspected security issue by opening a track with SAS Technical Support.  Security researchers or others who do not have a support contract can contact PSIRT directly by sending email to psirt@sas.com. Information about security vulnerabilities should be encrypted by using our public Pretty Good Privacy (PGP) key.

Open a Track