SAS Statement Regarding FREAK and SKIP TLS Vulnerabilities

Reference Name: FREAK and SKIP TLS Vulnerabilities (related to OpenSSL)
Severity: Medium
Status: Resolved, Fixes are available


  • 5-4-2016 – Updated
  • 3-4-2015 – Initial acknowledgement


The FREAK and SKIP vulnerabilities are medium severity security issues that address "Broken or Risky Cryptographic Algorithms – CWE 327". For more information see the OpenSSL Security Advisory (19 Mar 2015).

FREAK: OpenSSL versions before 1.0.1k are vulnerable, as described in CVE-2015-0204.

SKIP-TLS: Errors potentially allow malicious attackers to perform Man-in-the-middle attacks and take advantage of issues as described in CVE-2014-6593. The January 2015 critical update for Java prevents the attack.


May 4, 2016

Hot fixes are available for SAS 9.4, SAS 9.3 and SAS 9.2 releases. Customers should review SAS Note 55767, and access the Hot Fix tab to download and apply the appropriate fixes.

Customers should also ensure that they have updated the SAS PRIVATE JRE on SAS 9.4 systems, and the general JRE on earlier SAS versions. See SAS Note 56203 for information about downloading and applying updated versions of Java 7 JRE.

Security Bulletins

View other security bulletins, published as part of our formal PSIRT process.

Technical Support

Get world-class technical support via our support track system.

Samples & SAS Notes

Search our extensive Knowledge Base for code samples and SAS Notes.