SAS Statement Regarding CVE 2014-6271 (the Bash Vulnerability aka Shellshock)

Reference Name: CVE 2014-6271 (the Bash Vulnerability aka Shellshock)
Severity: Varies
Status: Resolved, fixes are available


History

  • 3-28-2017 –  Highlighted term Shellshock in response to renewed discussions of the old vulnerability
  • 10-23-2014 – Assessment and recommendations
  • 9-27-2014 – Fix for SAS® University Edition released
  • 9-26-2014 – Initial acknowledgement

Impact

SAS is aware of CVE 2014-6271 (and associated CVEs, including CVE-2014-7169, CVE-2014-7186 and CVE-2014-7187) -- also known as the Bash or "Shellshock" vulnerability -- made public September 24th, 2014. We have been evaluating our systems and our products and report the following assessment and recommendations.

Assessment & Recommended Actions

October 23, 2014

  • SAS has proactively taken steps to ensure Hosted customers and customers running SAS® University Edition are protected from potential exploits.
  • The SAS University Edition is minimally affected by CVE 2014-6271 and associated CVEs; SAS University Edition is locked down in terms of network capabilities and shell command access. An update was released September 27, 2014 to the SAS University Edition which addresses the vulnerability and we recommend that all users either apply the update to their existing vApp or download a new, updated copy. See FAQ: How do I update the SAS University Edition vApp for instructions on how to update the SAS University Edition.
  • Customers can be vulnerable if hosting UNIX-like environments/toolkits (e.g. Cygwin) on their native Windows operating system. Customers will need to follow up with their vendors to determine if they are vulnerable and if so, follow the vendor's recommendation for addressing the bash vulnerability.
  • SAS has not identified any additional vulnerabilities. We continue to encourage SAS customers who are working with an operating system vendor external to SAS to consult that vendor for any patches that have been made available.

September 26, 2014

SAS is aware of CVE 2014-6271, also known as the Bash or "Shellshock" vulnerability, made public September 24th, 2014. We are evaluating our systems and our products so that we can recommend an appropriate course of action, if necessary.

We encourage any SAS customers who are working with an operating system vendor external to SAS to consult that vendor for any patches that have been made available.

Security Bulletins Icon

Security Bulletins

View other security bulletins, published as part of our formal PSIRT process.

Technical Support Icon

Technical Support

Get world-class technical support via our support track system.

Samples & SAS Notes Icon

Samples & SAS Notes

Search our extensive Knowledge Base for code samples and SAS Notes.

Back to Top