SAS Statement Regarding jackson-databind Polymorphic Deserialization Vulnerabilities

Reference Name: jackson-databind Polymorphic Deserialization Vulnerabilities

Severity: Informational

Status: No action is required by customers


04-01-2020 – Assessment Completed


SAS software is not exposed to the following jackson-databind deserialization vulnerabilities:


The jackson-databind library has known, remote-code execution vulnerabilities resulting from a flaw that allows polymorphic deserialization of potentially malicious objects.


No SAS® software uses jackson-databind Default Typing and polymorphic deserialization. Therefore, SAS is not vulnerable to this issue, and no customer action is required to fix this vulnerability.

Security Bulletins Icon

Security Bulletins

View other security bulletins, published as part of our formal PSIRT process.

Technical Support Icon

Technical Support

Get world-class technical support via our support track system.

Samples & SAS Notes Icon

Samples & SAS Notes

Search our extensive Knowledge Base for code samples and SAS Notes.

Back to Top