SAS Statement Regarding the Apache Struts Path Traversal Vulnerability 

Reference Name: Apache Struts Path Traversal Vulnerability (CVE-2023-50164) 
Severity: Critical
Status: Investigation

History

• 12-22-2023 – Initial statement

Summary

SAS is aware of CVE-2023-50164 and is investigating the impact of this vulnerability on SAS products.

SAS Cloud Solutions

SAS Cloud and SAS Information Services are aware of CVE-2023-50164 and are actively working to ensure that protection capabilities are up to date.

Impact (preliminary evaluation)

SAS is investigating whether SAS® 9.4 includes a vulnerable version of Apache Struts and might be affected by this vulnerability.

SAS has evaluated that the SAS® Viya® platform and SAS® Viya® 3.x are not affected, because they do not contain the vulnerable Struts component.

As always, SAS recommends that you keep your SAS deployments up-to-date. The current version of the SAS®9 platform is SAS® 9.4M8 (TS1M8). Instructions for upgrading are available.

Guidance, Activities, and Plans

At this time, no customer action in response to CVE-2023-50164 is recommended. 

If impacted, SAS intends to provide a software update that removes the vulnerability from the Struts component in selected versions of SAS 9.4. This bulletin will be updated when the software update is available. At this time, the estimated release date for the software update is Q1 2024.

Updates to this Bulletin

When SAS has additional news or guidance about this vulnerability and its impact on SAS software and services, this official security bulletin will be updated. 

The latest SAS Product Security bulletins are available at https://support.sas.com/en/security-bulletins.html and by RSS feed.