Select Your Region

Visit the Cary, NC, US corporate headquarters site

Americas

Europe

Middle East & Africa

Asia Pacific

View our worldwide contacts list for help finding your region

Americas

Europe

Middle East & Africa

Asia Pacific

Sign In

Get access to My SAS, trials, communities and more.

Sign Out

Get access to My SAS, trials, communities and more.

SAS Sites

sas.com
Support
Blogs
Communities
Developer
Curiosity
Videos

Documentation

Learn
Brand
PartnerNet
Merchandise
  1. Security Bulletins
  2. Jackson-Databind Polymorphic Deserialization Vulnerabilities

SAS Statement Regarding jackson-databind Polymorphic Deserialization Vulnerabilities

Reference Name: jackson-databind Polymorphic Deserialization Vulnerabilities

Severity: Informational

Status: No action is required by customers

History

07-13-2021 – New CVE entries added.

04-01-2020 – Assessment Completed

Impact

SAS software is not exposed to the following jackson-databind deserialization vulnerabilities:

Description

The jackson-databind library has known, remote-code execution vulnerabilities resulting from a flaw that allows polymorphic deserialization of potentially malicious objects.

Solution

No SAS® software uses jackson-databind Default Typing and polymorphic deserialization. Therefore, SAS is not vulnerable to this issue, and no customer action is required to fix this vulnerability.

Security Bulletins

View other security bulletins, published as part of our formal PSIRT process.

Technical Support

Get world-class technical support via our support track system.

Samples & SAS Notes

Search our extensive Knowledge Base for code samples and SAS Notes.