4-16-2018 – Assessment completed
Customer deployments of SAS® are not vulnerable to CVE-2018-1270 or CVE-2018-1275.
Spring Framework (versions 5.0.x to 5.0.5; 4.3.x to 4.3.16; and older, unsupported versions) enables applications to expose the STOMP protocol over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code-execution attack.
No SAS software exposes the STOMP protocol over WebSocket endpoints. Therefore, SAS is not vulnerable to this issue, and no customer action is required to fix this vulnerability.