Reference Name: IBM Platform LSF 10.1 Contains an Unspecified Vulnerability That Can Enable User-Privilege Escalation (See CVE-2017-1205. See also IBM Security Bulletin: Privilege Escalation / User Impersonation affects IBM Platform LSF and IBM Spectrum LSF.)
Status: Fix Available
05-31-2017 – Assessment completed
Customer deployments of IBM Platform LSF for SAS® are vulnerable to CVE-2018-1205
Platform LSF uses an external authentication framework to secure user credentials for the data stream between LSF clients and servers. By default, LSF provides an eauth executable file that uses a static authorization key to encrypt the data. As part of the installation process, changing the default key is important in order to prevent unauthorized access. However, many sites do not change this default key and, therefore, are vulnerable to CVE-2017-1205.
Customers should download and apply the patch that is available in SAS Note 60498, "Platform Suite for SAS® contains a security vulnerability."