Select Your Region

Visit the Cary, NC, US corporate headquarters site

Americas

Europe

Middle East & Africa

Asia Pacific

View our worldwide contacts list for help finding your region

Americas

Europe

Middle East & Africa

Asia Pacific

Sign In

Get access to My SAS, trials, communities and more.

Sign Out

Get access to My SAS, trials, communities and more.

SAS Sites

sas.com
Support
Blogs
Communities
Developer
Curiosity
Videos
Merchandise
Brand
PartnerNet

SAS Statement Regarding a Spring Framework Remote Code-Execution Vulnerability

Reference Name: Spring Framework Remote Code-Execution Vulnerability
pivotal.io/security/cve-2018-1270
pivotal.io/security/cve-2018-1275
Severity: Informational
Status: No action by customers is required

History

4-16-2018 – Assessment completed

Impact

Customer deployments of SAS® are not vulnerable to CVE-2018-1270 or CVE-2018-1275. 

Description

Spring Framework (versions 5.0.x to 5.0.5; 4.3.x to 4.3.16; and older, unsupported versions) enables applications to expose the STOMP protocol over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code-execution attack.

Solution

No SAS software exposes the STOMP protocol over WebSocket endpoints. Therefore, SAS is not vulnerable to this issue, and no customer action is required to fix this vulnerability.

Security Bulletins

View other security bulletins, published as part of our formal PSIRT process.

Technical Support

Get world-class technical support via our support track system.

Samples & SAS Notes

Search our extensive Knowledge Base for code samples and SAS Notes.