SAS Statement Regarding Apache Struts 2 Denial of Service Vulnerability CVE-2018-1327

Reference Name: Apache Struts 2 Denial of Service Vulnerability
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1327
cwiki.apache.org/confluence/display/WW/S2-056
Severity: Informational
Status:No action by customers is required


History

4-04-2018 – Assessment completed

Impact

Customer deployments of SAS® are not vulnerable to CVE-2018-1327.

Description

The REST plug-in uses the XStream library, which is vulnerable and allows a Denial of Service attack when someone uses a malicious request with a specially crafted XML payload.

Solution

April 4, 2018

The custom version of Apache Struts that is managed and delivered by SAS is not vulnerable to this exploitation. The software products that use the regular version of Struts 2 are not affected because the REST plug-in is not used. As an added precaution, customers who have installed SAS® Grid Manager might want to remove the flagged Apache Struts libraries that are included with the Platform Web Services component. Contact SAS Technical Support for additional details.

Security Bulletins Icon

Security Bulletins

View other security bulletins, published as part of our formal PSIRT process.

Technical Support Icon

Technical Support

Get world-class technical support via our support track system.

Samples & SAS Notes Icon

Samples & SAS Notes

Search our extensive Knowledge Base for code samples and SAS Notes.

Back to Top