SAS Statement Regarding an Unspecified Vulnerability in IBM Platform LSF 10.1 That Can Enable User-Privilege Escalation

Reference Name: IBM Platform LSF 10.1 Contains an Unspecified Vulnerability That Can Enable User-Privilege Escalation (See CVE-2017-1205. See also IBM Security Bulletin: Privilege Escalation / User Impersonation affects IBM Platform LSF and IBM Spectrum LSF.)
Severity: High
Status: Fix Available


History

05-31-2017 – Assessment completed

Impact

Customer deployments of IBM Platform LSF for SAS® are vulnerable to CVE-2018-1205

Description

Platform LSF uses an external authentication framework to secure user credentials for the data stream between LSF clients and servers. By default, LSF provides an eauth executable file that uses a static authorization key to encrypt the data. As part of the installation process, changing the default key is important in order to prevent unauthorized access. However, many sites do not change this default key and, therefore, are vulnerable to CVE-2017-1205.

Solution

Customers should download and apply the patch that is available in SAS Note 60498, "Platform Suite for SAS® contains a security vulnerability."

Security Bulletins Icon

Security Bulletins

View other security bulletins, published as part of our formal PSIRT process.

Technical Support Icon

Technical Support

Get world-class technical support via our support track system.

Samples & SAS Notes Icon

Samples & SAS Notes

Search our extensive Knowledge Base for code samples and SAS Notes.

Back to Top