Reference Name: Notice to SAS Migration Utility Users
Status: Recommendation issued
10-8-2014 – Acknowledgement, with recommendation
Assessment & Recommended Actions
On October 8, 2014 SAS Institute identified a scenario in our SAS Migration Utility where passwords used during the migration process are stored in the resulting migration package and utility log file. The SAS® Migration Utility is a tool whose primary purpose is to create a package of content from an existing SAS configuration. That package can then be used during an update within a release, upgrade to a new SAS release, or a replication of an existing deployment. Documentation is in the SAS 9.4 Intelligence Platform: Migration Guide.
Based on the scenario we identified, we recommend that customers using the SAS Migration Utility secure the access permissions to the output location of the SAS Migration Utility package. All passwords supplied to the SAS Migration Utility should be encoded to ensure passwords are not exposed in clear text.
SAS internal teams identified this potential security issue. No customers have reported this problem, and we are not aware of any issues associated with this specific exposure. SAS will continue to update our customers on any potential scenarios that we believe require action. If you have concerns or questions, please contact SAS Technical Support.