SAS Product Statement Regarding Heartbleed (related to OpenSSL)

Reference Name: Heartbleed (related to OpenSSL)
Severity: High
Status: Resolved, fixes are available

History

4-17-2014 – Acknowledgement, with fixes

Status

SAS is aware of the Heartbleed Bug and we are continuously evaluating our systems and our products so that we can implement or provide any necessary changes.

Assessment & Recommended Actions

SAS has completed our assessment of any use of OpenSSL 1.0.1 by SAS as it relates to the Heartbleed vulnerability. Our findings are:

• SAS has assessed our externally-facing customer hosted systems and determined that they are not vulnerable to this issue.
• SAS has reviewed our externally-facing corporate IT systems, patched vulnerable systems, re-issued SSL keys where applicable, and are taking steps to address users of those affected systems.
• SAS does not have Heartbleed vulnerabilities with our external Web sites.
• SAS has no issues with the software shipped in SAS^® 9.2 or SAS^® 9.3 because these versions do not include OpenSSL 1.0.1 software.
• SAS/SHARE^® software and SAS/CONNECT^® software encryption is not impacted by this issue.
• The SOAP and HTTP procedures are not impacted by this issue.
• SAS has determined that our SAS^® 9.4 Web Server includes OpenSSL 1.0.1. A hot fix is available. All customers who have installed SAS 9.4 Web Server and configured it for the Secure Sockets Layer (SSL) are vulnerable. Refer to the SAS Note 52725 for more information and to download the hot fix.
• SAS^® DataFlux Secure does not deliver OpenSSL with the software. However, some customers may have implemented the Secure Socket Layer (SSL) to protect HTTP connections. If you are a DataFlux Secure customer, read SAS Note 52743 for more information.