SAS Statement Regarding

Apache Struts 2 Vulnerabilities (Multiple CVEs)


  • 9-12-2017 – Assessment completed


Customer deployments of SAS® are not vulnerable to CVE-2017-9804, CVE-2017-9793, CVE-2017-9805, or CVE-2017-12611.


Struts 2 versions 2.3.7-2.3.33 and 2.5-2.5.12 might be vulnerable to Denial of Service and Remote Code Execution attacks.


September 12, 2017

The custom version of Apache Struts that is managed and delivered by SAS is not vulnerable to this exploit.

As an added precaution, customers who have installed SAS® Grid Manager might want to remove the flagged Apache Struts libraries that are included with the Platform Web Services (PWS) component. The product does not use affected functionality and is not vulnerable to the potential exploitation. Please contact SAS Technical Support for further details.

Security Bulletins Icon

Security Bulletins

View other security bulletins, published as part of our formal PSIRT process.

Technical Support Icon

Technical Support

Get world-class technical support via our support track system.

Samples & SAS Notes Icon

Samples & SAS Notes

Search our extensive Knowledge Base for code samples and SAS Notes.

Back to Top