SAS Statement Regarding CVE 2015-0235 (the GHOST Vulnerability)

Reference Name: GHOST vulnerability (CVE 2015-0235)
Severity: High
Status: Resolved, patch is available

History

• 3-31-2015 – A patch is available and recommended
• 1-30-2015 – Initial acknowledgement

Description & Solution

March 31, 2015

A patch is now available for SAS^® University Edition. Unless the user has made specific alterations to the SAS University Edition vApp that was downloaded, the vulnerability is minimal. However, SAS recommends that all users apply the latest update to their existing SAS University Edition vApp.

For more information, see How do I update the SAS University Edition vApp?.

January 30, 2015

SAS is aware of the GHOST vulnerability involving a weakness in the Linux glibc library that was announced January 27, 2015 (CVE 2015-0235). We are taking steps to ensure our servers are protected from attacks. We are also evaluating our portfolio of products so that we can recommend an appropriate course of action, if necessary.

We continue to encourage SAS customers who are working with an operating system vendor external to SAS to consult that vendor for any patches that have been made available.

We will continue to update this bulletin as we have more information to share with our customers. Bookmark this page and check back for updated information.