Severity: Critical

Description: Before the 2023 Q1 release of the updated ODBC drivers for DataFlux^® Data Management Studio and DataFlux^® Data Management Server that are available in SAS Note 66084, the cURL library that is used by certain DataFlux ODBC drivers when they are configured to use an HTTP proxy is affected by the double free vulnerability described in CVE-2022-42915.

Potential Impact: Impacts vary.  Refer to the CVE record listed in the previous section for details.

Click the Hot Fix tab of SAS Note 66084 to access the hot fix for this issue.

Operating System and Release Information

Product Family	Product	System	SAS Release
			Reported	Fixed*
Dataflux	DataFlux Data Management Server	Microsoft Windows Server 2008 R2
		Microsoft Windows Server 2008
		Microsoft Windows Server 2003 for x64
		Microsoft Windows Server 2003 Standard Edition
		Microsoft Windows Server 2003 Enterprise Edition
		Microsoft Windows Server 2003 Datacenter Edition
		Microsoft Windows NT Workstation
		Microsoft Windows 2000 Professional
		Microsoft Windows 2000 Server
		Microsoft Windows 2000 Datacenter Server
		Microsoft Windows 2000 Advanced Server
		Microsoft Windows 95/98
		Microsoft Windows 11
		Microsoft Windows 10
		Microsoft Windows 8.1 Pro x64
		Microsoft Windows 8.1 Pro 32-bit
		Microsoft Windows 8.1 Enterprise x64
		Microsoft Windows 8.1 Enterprise 32-bit
		Microsoft Windows 8 Pro x64
		Microsoft Windows 8 Pro 32-bit
		Microsoft Windows 8 Enterprise x64
		Microsoft Windows 8 Enterprise 32-bit
		Microsoft® Windows® for x64
		Microsoft Windows Server 2008 for x64
		Microsoft Windows Server 2012 Datacenter
		Microsoft Windows Server 2012 R2 Datacenter
		Microsoft Windows Server 2012 R2 Std
		Microsoft Windows Server 2012 Std
		Microsoft Windows Server 2016
		Microsoft Windows Server 2019
		Microsoft Windows Server 2022
		Microsoft Windows XP Professional
		Windows 7 Enterprise 32 bit
		Windows 7 Enterprise x64
		Windows 7 Home Premium 32 bit
		Windows 7 Home Premium x64
		Windows 7 Professional 32 bit
		Windows 7 Professional x64
		Windows 7 Ultimate 32 bit
		Windows 7 Ultimate x64
		Windows Millennium Edition (Me)
		Windows Vista
		Windows Vista for x64
		64-bit Enabled AIX
		64-bit Enabled HP-UX
		64-bit Enabled Solaris
		HP-UX IPF
		Linux
		Linux for x64
		Solaris for x64
Dataflux	DataFlux Data Management Studio	Microsoft® Windows® for x64
		Microsoft Windows 8 Enterprise 32-bit
		Microsoft Windows 8 Enterprise x64
		Microsoft Windows 8 Pro 32-bit
		Microsoft Windows 8 Pro x64
		Microsoft Windows 8.1 Enterprise 32-bit
		Microsoft Windows 8.1 Enterprise x64
		Microsoft Windows 8.1 Pro 32-bit
		Microsoft Windows 8.1 Pro x64
		Microsoft Windows 10
		Microsoft Windows 11
		Microsoft Windows 95/98
		Microsoft Windows 2000 Advanced Server
		Microsoft Windows 2000 Datacenter Server
		Microsoft Windows 2000 Server
		Microsoft Windows 2000 Professional
		Microsoft Windows NT Workstation
		Microsoft Windows Server 2003 Datacenter Edition
		Microsoft Windows Server 2003 Enterprise Edition
		Microsoft Windows Server 2003 Standard Edition
		Microsoft Windows Server 2003 for x64
		Microsoft Windows Server 2008
		Microsoft Windows Server 2008 R2
		Microsoft Windows Server 2008 for x64
		Microsoft Windows Server 2012 Datacenter
		Microsoft Windows Server 2012 R2 Datacenter
		Microsoft Windows Server 2012 R2 Std
		Microsoft Windows Server 2012 Std
		Microsoft Windows Server 2016
		Microsoft Windows Server 2019
		Microsoft Windows Server 2022
		Microsoft Windows XP Professional
		Windows 7 Enterprise 32 bit
		Windows 7 Enterprise x64
		Windows 7 Home Premium 32 bit
		Windows 7 Home Premium x64
		Windows 7 Professional 32 bit
		Windows 7 Professional x64
		Windows 7 Ultimate 32 bit
		Windows 7 Ultimate x64
		Windows Millennium Edition (Me)
		Windows Vista
		Windows Vista for x64

* For software releases that are not yet generally available, the Fixed Release is the software release in which the problem is planned to be fixed.

---

The cURL library that is used when certain DataFlux ODBC drivers are configured to use an HTTP proxy is affected by the double free vulnerability described in CVE-2022-42915.

Type:	Problem Note
Priority:	alert

Date Modified:	2023-04-06 15:04:29
Date Created:	2023-03-31 13:32:55