SAS Statement Regarding Apache ActiveMQ Vulnerability (CVE-2023-46604)

Reference Name: Apache ActiveMQ Vulnerability (CVE-2023-46604)
Severity: Critical
Status: Investigation

History

• 4-4-2024 - Update about SAS® 9.4M7 and SAS® 9.4M6
• 1-25-2024 - Update about SAS® 9.4M8
• 11-10-2023 - Initial statement

Impact

SAS is aware of CVE-2023-46604 and is investigating the impact of this vulnerability on SAS products.

Preliminary Evaluation

SAS has evaluated that SAS® 9.4M6 (TS1M6) and later include and are affected by a vulnerable version of the Apache ActiveMQ component. As always, SAS recommends that you keep your SAS deployments up to date. The current version of the SAS®9 platform is SAS® 9.4M8 (TS1M8). Instructions for upgrading are available.

SAS has evaluated that the SAS® Viya® platform and SAS® Viya® 3.x are not affected because they do not use a vulnerable version of the Apache ActiveMQ component. 

Guidance, Activities, and Plans

At this time, in response to CVE-2023-46604, it is recommended that customers work with their system administrators to ensure that the port used by ActiveMQ is being blocked by their deployments’ firewall.

SAS intends to provide a software update that removes vulnerable versions of the Apache ActiveMQ component from supported versions of SAS 9.4M6 and later. The SAS 9.4M8 update is available now and is described below. This bulletin will be updated when the software update is available for SAS 9.4M6 and SAS 9.4M7. At this time, the estimated release date for those software update is 03-31-24 / Q1 2024.

SAS® 9.4M8

Customers should do the following to update SAS 9.4M8:

• Apply the hot fix from SAS Note 70568 to upgrade the ActiveMQ version in the SAS JMS Broker service.  
• Apply the hot fix from SAS Note 70554 to upgrade the ActiveMQ client library supplied with SAS® Environment Manager.
• After applying those hot fixes, apply the latest SAS Security Update for SAS® 9.4M8 (TS1M8), which updates ActiveMQ client libraries. 

SAS® 9.4M7

Customers should do the following to update SAS 9.4M7:

• Apply the hot fix from SAS Note 70568 to upgrade the ActiveMQ version in the SAS JMS Broker service. Note that there are two hot fixes available for this release. To ensure that you install the correct fix, run the View Registry report.
• Apply the hot fix from SAS Note 70554 to upgrade the ActiveMQ client library supplied with SAS® Environment Manager.
• After applying those hot fixes, apply the latest SAS Security Update for SAS® 9.4M7 (TS1M7), which updates ActiveMQ client libraries. 

SAS® 9.4M6

Customers should do the following to update SAS 9.4M6:

• Apply the hot fix from SAS Note 70568 to upgrade the ActiveMQ version in the SAS JMS Broker service.  
•  Apply the hot fix from SAS Note 70554 to upgrade the ActiveMQ client library supplied with SAS® Environment Manager.
• After applying those hot fixes, apply the latest SAS Security Update for SAS® 9.4M6 (TS1M6), which updates ActiveMQ client libraries. 

SAS® Cloud Solutions

SAS Cloud and SAS Information Services are aware of CVE-2023-46604 and are actively working to ensure that protection capabilities are up to date.

Updates to this Bulletin

When SAS has additional news or guidance for this vulnerability and its impact on SAS software and services, this official security bulletin will be updated.

The latest SAS Product Security bulletins are available at https://support.sas.com/security-bulletins.html and by RSS feed.