SAS Statement Regarding Package Managers Configurations Remote Code Execution Vulnerability (CVE-2021-24105)

Reference Name: Package Managers Configurations Remote Code Execution Vulnerability (CVE-2021-24105)
Severity: Informational
Status: No action by customers is required.

History

04-29-2021 – Assessment completed

Impact

SAS^® software is not impacted by the dependency confusion vulnerability described in CVE-2021-24105 Package Managers Configurations Remote Code Execution Vulnerability.

Description

Depending on configuration of various package managers, it is possible for an attacker to insert a malicious package into a package manager's repository. The package can be retrieved and used during development, build, and release processes. This insertion could lead to remote code execution.

Solution

SAS implements controls and processes to guard against the dependency confusion vulnerability described in CVE-2021-24105 Package Managers Configurations Remote Code Execution Vulnerability. Through procedural care and tooling, SAS ensures that any software artifacts included in products developed by SAS Research and Development are obtained from package managers that are specifically configured to use repositories that prevent a malicious package from overriding the artifact that is provided by SAS.  Security checks are performed on these artifacts in addition to feature and function testing guarding against dependency confusion vulnerabilities.