Problem Note 65894: Security updates for SAS® Infrastructure Data Server for SAS® Viya® 3.5
Severity: Medium
Description: The following versions of PostgreSQL are used as the underlying technology for the SAS Infrastructure Data Server in SAS Viya 3.5:
- PostgreSQL 11.x
- PostgreSQL 15.x
These versions of PostgreSQL have the following known security vulnerabilities:
Potential Impact:
- Role "pg_signal_backend" can signal certain superuser processes.
- Buffer overrun from integer overflow exists in array modification.
- Memory disclosure occurs in aggregate function calls.
- An authenticated attacker could use this flaw in certain configurations to perform drop objects, leading to database corruption.
- An authenticated attacker could use this flaw in an attack in order to execute arbitrary SQL commands in the context of the user used for replication.
- An attacker with sufficient privileges could use this flaw to trick an administrator into executing a specially crafted script, during the installation or update of such extension.
- An opportunity for a man-in-the-middle attack or the ability to observe clear text transmissions.
- Creation of non-temporary objects can execute arbitrary SQL functions under the identity of a super user.
- Buffer overrun from integer overflow in array subscripting calculations.
- Memory disclosure in INSERT ... ON CONFLICT ... DO UPDATE.
- Memory disclosure in partitioned-table UPDATE ... RETURNING.
SAS supports all versions of the database delivered with the product but only the latest version, PostgreSQL 15.x, continues to receive security fixes from the PostgreSQL community.
SAS recommends upgrading to PostgreSQL 15.x by following the instructions in Upgrading PostgreSQL in SAS Viya.
To determine whether you need a new order for this upgrade, you might need to reference the following:
SAS KB0037227, "Determine whether you need a new order for PostgreSQL 15 on SAS® Viya® 3.5 (Linux)"
SAS KB0037228, "Determine whether you need a new order for PostgreSQL 15 on SAS® Viya® 3.5 (Windows)"
After you upgrade PostgreSQL to 15.x and then update to 15.6 by applying this hot fix, all of these security concerns will be addressed.
Click the Hot Fix tab in this note for a link to instructions about accessing and applying the software update.
Operating System and Release Information
SAS System | SAS Viya | Linux for x64 | 3.5 | 3.5 | Viya | Viya |
*
For software releases that are not yet generally available, the Fixed
Release is the software release in which the problem is planned to be
fixed.
Type: | Problem Note |
Priority: | high |
Date Modified: | 2024-03-07 15:10:49 |
Date Created: | 2020-04-28 12:36:42 |