To keep you informed about any suspected or confirmed security issues, SAS publishes security bulletins and SAS Notes as part of our formal Product Security Incident Response Team (PSIRT) process.
Note: Hot fixes for each product component are cumulative and might include functionality fixes in addition to security fixes.
- For a list of hot fixes that are available for your products, use the the SAS Hot Fix Analysis, Download & Deployment (SASHFADD) tool.
- See the Hot Fix FAQ for a general overview of hot fixes.
- SAS Security Update for SAS 9.4M6 (TS1M6) (March 11, 2019)
- SAS Security Update for SAS 9.4M5 (TS1M5) (September 18, 2018)
- SAS Statement Regarding Apache Struts 2 Remote Code Execution Vulnerability CVE-2018-11776 (August 28, 2018)
- OpenSSL Security Advisories (August 10, 2018)
- SAS Statement Regarding a Spring Framework Remote Code-Execution Vulnerability (April 16, 2018)
- SAS Statement Regarding Apache Struts 2 Denial of Service Vulnerability CVE-2018-1327 (April 06, 2018)
- SAS Statement Regarding SAS® Viya® Orders That Contained An Incorrectly Distributed Intermediate Entitlement Server Private Key (March 26, 2018)
- SAS Statement Regarding Meltdown/Spectre Vulnerabilities (February 8, 2018)
- SAS Statement Regarding Apache Struts 2 Vulnerabilites (Multiple CVEs) (September 12, 2017)
- Apache Struts 2 Remote Code Execution Vulnerability CVE-2017-9791 (July 20, 2017)
- Vulnerablity in IBM Platform LSF 10.1 (June 12, 2017)
- Apache Struts 2 Remote Code Execution Vulnerability CVE-2017-5638 (March 15,2017)
- Phishing for Access to SAS Systems (November 21, 2016)
- Java Deserialization Vulnerability (October 18, 2016)
- Drown Vulnerability (August 12, 2016)
- FREAK & SKIP-TLS Vulnerabilities (related to OpenSSL) (May 3, 2016)
- GHOST Vulnerability (March 31, 2015)
- Daily Report Emails (November 13, 2014)
- POODLE SSL (October 28, 2014)
- Bash Vulnerability (aka Shellshock) (October 16, 2014)
- Notice to SAS Migration Utility Users (October 8, 2014)
- Heartbleed (related to OpenSSL) (April 17, 2014)
Contact the Product Security Incident Response Team
Customers who have SAS support contracts should report a suspected security issue by opening a track with SAS Technical Support. Security researchers or others who do not have a support contract can contact PSIRT directly by sending email to firstname.lastname@example.org. Information about security vulnerabilities should be encrypted by using our public Pretty Good Privacy (PGP) key.