SAS Statement Regarding the Polyfill Supply Chain Attack Vulnerability (CVE-2024-38526) 

Reference Name: Polyfill Supply Chain Attack Vulnerability (CVE-2024-38526) 
Severity: Critical
Status: Evaluation

History

• 7-10-2024 – Initial statement

Summary

SAS is aware of CVE-2024-38526, has investigated the impact of this vulnerability on SAS® products, and has found that no action is recommended.

Impact 

SAS has evaluated that the SAS® Viya® platform, SAS® 9.4, and SAS® Viya® 3.x do not load the Polyfill library from impacted Content Delivery Networks (CDNs) and are not affected.

As always, SAS recommends that you keep your SAS deployments up to date. The current version of the SAS®9 platform is SAS 9.4M8 (TS1M8). Instructions for upgrading are available.

Guidance, Activities, and Plans

At this time, no customer action in response to CVE-2024-38526 is recommended. 

Updates to this Bulletin

If SAS has additional news or guidance for this vulnerability and its impact on SAS software and services, this official security bulletin will be updated. 

The latest SAS Product Security bulletins are available at https://support.sas.com/security-bulletins.html and by RSS feed.