Select Your Region

Visit the Cary, NC, US corporate headquarters site

Americas

Europe

Middle East & Africa

Asia Pacific

View our worldwide contacts list for help finding your region

Americas

Europe

Middle East & Africa

Asia Pacific

Sign In

Get access to My SAS, trials, communities and more.

Sign Out

Get access to My SAS, trials, communities and more.

SAS Sites

sas.com
Support
Blogs
Communities
Developer
Curiosity
Videos

Documentation

Learn
Brand
PartnerNet
Merchandise
  1. Security Bulletins
  2. Apache Commons Text Vulnerability (CVE-2022-42889)

SAS Statement Regarding Apache Commons Text Vulnerability (CVE-2022-42889)

Reference Name: Apache Commons Text Vulnerability (CVE-2022-42889)
Severity: Critical
Status:

History

  • 1-19-2023 - Revised the Guidance, Activities, and Plans section with information about software updates
  • 11-2-2022 – Initial statement

Summary

SAS is aware of CVE-2022-42889 and has investigated the impact of this vulnerability on SAS® products.

SAS® Cloud Solutions

SAS Cloud and SAS Information Services are aware of CVE-2022-42889 and are actively working to ensure that protection capabilities are up to date.

Impact

SAS has evaluated that SAS® Viya® versions covered by Standard Support (referred to as supported SAS Viya versions) and SAS® Viya® 3.5 do not use the vulnerable functionalities of the StringSubstitutor class from the impacted Apache Commons Text library versions and are not affected by this vulnerability. The impacted Apache Commons Text library versions are present in supported SAS Viya versions and SAS Viya 3.5. See the Guidance, Activities, and Plans section below for software update information.

SAS has evaluated that SAS® 9.4M7 (TS1M7) and earlier releases are not affected because they do not use vulnerable versions of Apache Commons Text. As always, SAS recommends that you keep your SAS deployments up to date. The current version of the SAS®9 platform is SAS 9.4M7. Instructions for upgrading are available. 

Guidance, Activities, and Plans

At this time, no customer action in response to CVE-2022-42889 is recommended.  

SAS provided a software update that removed vulnerable versions of the Apache Commons Text library from SAS® Viya® Long-Term Support 2022.09 and SAS® Viya® Stable 2022.11 and later versions in December 2022. 

SAS Viya 3.5 will be upgraded to Apache Commons Text 1.10.0 on March 31, 2023.

Updates to This Bulletin

When SAS has additional news or guidance about this vulnerability and its impact on SAS software and services, this official security bulletin will be updated. 

The latest SAS Product Security bulletins are available at https://support.sas.com/security-bulletins.html and by RSS feed.

Security Bulletins

View other security bulletins, published as part of our formal PSIRT process.

Technical Support

Get world-class technical support via our support track system.

Samples & SAS Notes

Search our extensive Knowledge Base for code samples and SAS Notes.