SAS Statement Regarding OpenSSL Security Advisories

Reference Name: OpenSSL Security Advisories
Severity: High
Status: SAS hot fixes are available or under evaluation


History

Updates and Status

  • 12-13-2019 - New hot fix available for SAS Web Server (SAS 9.4M6)
  • 05-01-2019 - New hot fix available for SAS Web Server (SAS 9.4M6)
  • 04-30-2019 - New hot fix available for SAS Foundation (SAS 9.4M6)
  • 08-10-2018 - New hot fixes available for SAS Web Server (for SAS 9.4M3 and later)
  • 09-11-2017 - New SAS Web Server hot fix available
  • 04-13-2017 - New hot fixes available; acknowledgement of new OpenSSL security advisories
  • 01-02-2017 - Status update
  • 12-19-2016 - Additional fixes
  • 10-21-2016 - Acknowledgement, with fixes

Impact

OpenSSL libraries are included with the SAS Web Server and SAS® Foundation products. Customers using the Transport Layer Security (TLS) capability with these products might be affected by OpenSSL vulnerabilities.

Description

The OpenSSL community periodically releases security advisory statements highlighting security vulnerabilities that have been discovered in the OpenSSL libraries. SAS reviews these security advisories and schedules fixes for SAS components when needed.

Solution

The latest hot fixes for SAS 9.4 and SAS 9.3 releases are available from the SAS Notes referenced below. SAS recommends that you apply these hot fixes to upgrade the OpenSSL libraries as described.

  • SAS Web Server – For SAS 9.4M6, customers should review SAS Note 66129. Then, customers should download and apply the appropriate fix to upgrade SAS 9.4 Web Server software to OpenSSL 1.0.2u and Apache 2.4.43.

    For SAS 9.4M3 through SAS 9.4M5, customers should review SAS Note 62190. Then, customers should download and apply the appropriate fixes to upgrade SAS 9.4 Web Server software to OpenSSL 1.0.2o and Apache 2.4.27.

    For SAS 9.4M2 and earlier, customers should review SAS Note 60908. Then, customers should download and apply the appropriate fixes to upgrade SAS 9.4 Web Server to OpenSSL 1.0.2l and Apache 2.4.27.
  • SAS Foundation – For SAS 9.4M6, customers should review SAS Note 64003. Then, customers should download and apply the appropriate fixes to upgrade SAS Foundation software to OpenSSL 1.0.2r. 

    For SAS 9.4M5 and earlier, customers should review SAS Note 61700. Then, customers should download and apply the appropriate fixes to upgrade SAS Foundation software to OpenSSL 1.0.2n. The hot fixes are for all maintenance releases of SAS 9.3 and SAS 9.4.

  • SAS Web Infrastructure Platform Data Server – Customers should review SAS Note 56610, and download and apply the appropriate fixes to upgrade SAS 9.4 Web Infrastructure Platform Data Server software to OpenSSL 1.0.1p. The hot fixes are for all maintenance releases of SAS 9.4.

Recommended Resources

Security Bulletins

View other security bulletins, published as part of our formal PSIRT process.

Technical Support

Get world-class technical support via our support track system.

Samples & SAS Notes

Search our extensive Knowledge Base for code samples and SAS Notes.