Reference Name: OpenSSL Security Advisories
Status: SAS hot fixes are available or under evaluation
- 08-10-2018 - New hot fixes available for SAS Web Server (for SAS 9.4M3 and later)
- 09-11-2017 - New SAS Web Server hot fix available
- 04-13-2017 - New hot fixes available; acknowledgement of new OpenSSL security advisories
- 01-02-2017 - Status update
- 12-19-2016 - Additional fixes
- 10-21-2016 - Acknowledgement, with fixes
OpenSSL libraries are included with the SAS Web Server and SAS® Foundation products. Customers using the Transport Layer Security (TLS) capability with these products might be affected by OpenSSL vulnerabilities.
The OpenSSL community periodically releases security advisory statements highlighting security vulnerabilities that have been discovered in the OpenSSL libraries. SAS reviews these security advisories and schedules fixes for SAS components when needed.
The latest hot fixes for SAS 9.4 and SAS 9.3 releases are available from the SAS Notes referenced below. SAS recommends that you apply these hot fixes to upgrade the OpenSSL libraries as described.
- SAS Web Server – For SAS 9.4M3 and later, customers should review SAS Note 62190. Then, customers should download and apply the appropriate fixes to upgrade SAS 9.4 Web Server software to OpenSSL 1.0.2o and Apache 2.4.27.
For SAS 9.4M2 and earlier, customers should review SAS Note 60908. Then, customers should download and apply the appropriate fixes to upgrade SAS 9.4 Web Server to OpenSSL 1.0.21 and Apache 2.4.27.
- SAS Foundation – Customers should review SAS Note 61700, and download and apply the appropriate fixes to upgrade SAS Foundation software to OpenSSL 1.0.2n. The hot fixes are for all maintenance releases of SAS 9.3 and SAS 9.4.
- SAS Web Infrastructure Platform Data Server – Customers should review SAS Note 56610, and download and apply the appropriate fixes to upgrade SAS 9.4 Web Infrastructure Platform Data Server software to OpenSSL 1.0.1p. The hot fixes are for all maintenance releases of SAS 9.4.