SAS Statement Regarding FREAK and SKIP TLS Vulnerabilities

Reference Name: FREAK and SKIP TLS Vulnerabilities (related to OpenSSL)
Severity: Medium
Status: Resolved, Fixes are available

History

• 5-4-2016 – Updated
• 3-4-2015 – Initial acknowledgement

Description

The FREAK and SKIP vulnerabilities are medium severity security issues that address "Broken or Risky Cryptographic Algorithms – CWE 327". For more information see the OpenSSL Security Advisory (19 Mar 2015).

FREAK: OpenSSL versions before 1.0.1k are vulnerable, as described in CVE-2015-0204.

SKIP-TLS: Errors potentially allow malicious attackers to perform Man-in-the-middle attacks and take advantage of issues as described in CVE-2014-6593. The January 2015 critical update for Java prevents the attack.

Solution

May 4, 2016

Hot fixes are available for SAS 9.4, SAS 9.3 and SAS 9.2 releases. Customers should review SAS Note 55767, and access the Hot Fix tab to download and apply the appropriate fixes.

Customers should also ensure that they have updated the SAS PRIVATE JRE on SAS 9.4 systems, and the general JRE on earlier SAS versions. See SAS Note 56203 for information about downloading and applying updated versions of Java 7 JRE.