https://communities.sas.com/t5/Administration-and-Deployment/Postgres-CVE-2020-13692/m-p/695895#M20586 <P>Good day.</P><P>I got a question concerning the following.</P><P>Is&nbsp; SAS 9.4 vulnerable for the following postgres flaw ?</P><P>&nbsp;</P><P>Description of problem:</P><P>An XML eXternal Entity (XXE) flaw was discovered in the PgSQLXML implementation that is known as CVE-2020-13692. This flaw could possibly allow disclosure of confidential data (such as content of local files), denial of service, server side request forgery (SSRF), or other impacts, if specially crafted XML documents are processed by PgSQLXML.</P><P>In order to fix the CVE-2020-13692 issue, the PgSQLXML implementation in postgresql-jdbc was modified to disable loading of external entities and document type definitions (DTD) by default. <STRONG>This change may introduce a regression in environments that rely on processing of external entities or DTDs.</STRONG></P><P>&nbsp;</P><P>For environments that require processing of external entities or DTDs, it is possible to configured PgSQLXML to use the previous behaviour and perform loading of external objects. This legacy behaviour can be enabled for each database connection by setting the xmlFactoryFactory property to the value of LEGACY_INSECURE.</P><P>Note: <STRONG>This setting enables processing of external entities and DTDs and therefore re-introduces the CVE-2020-13692 issue.</STRONG> It should only be used when XML documents stored in a database and processed using the PgSQLXML are fully trusted.</P> Mon, 02 Nov 2020 11:04:12 GMT paterd2 2020-11-02T11:04:12Z https://communities.sas.com/t5/Administration-and-Deployment/Postgres-CVE-2020-13692/m-p/695895#M20586 <P>Good day.</P><P>I got a question concerning the following.</P><P>Is&nbsp; SAS 9.4 vulnerable for the following postgres flaw ?</P><P>&nbsp;</P><P>Description of problem:</P><P>An XML eXternal Entity (XXE) flaw was discovered in the PgSQLXML implementation that is known as CVE-2020-13692. This flaw could possibly allow disclosure of confidential data (such as content of local files), denial of service, server side request forgery (SSRF), or other impacts, if specially crafted XML documents are processed by PgSQLXML.</P><P>In order to fix the CVE-2020-13692 issue, the PgSQLXML implementation in postgresql-jdbc was modified to disable loading of external entities and document type definitions (DTD) by default. <STRONG>This change may introduce a regression in environments that rely on processing of external entities or DTDs.</STRONG></P><P>&nbsp;</P><P>For environments that require processing of external entities or DTDs, it is possible to configured PgSQLXML to use the previous behaviour and perform loading of external objects. This legacy behaviour can be enabled for each database connection by setting the xmlFactoryFactory property to the value of LEGACY_INSECURE.</P><P>Note: <STRONG>This setting enables processing of external entities and DTDs and therefore re-introduces the CVE-2020-13692 issue.</STRONG> It should only be used when XML documents stored in a database and processed using the PgSQLXML are fully trusted.</P> Mon, 02 Nov 2020 11:04:12 GMT https://communities.sas.com/t5/Administration-and-Deployment/Postgres-CVE-2020-13692/m-p/695895#M20586 paterd2 2020-11-02T11:04:12Z https://communities.sas.com/t5/Administration-and-Deployment/Postgres-CVE-2020-13692/m-p/696065#M20600 <P>Hi&nbsp;<a href="https://communities.sas.com/t5/user/viewprofilepage/user-id/223604">@paterd2</a>&nbsp;</P> <P>&nbsp;</P> <P>You can find the security bulletins and vulnerabilities related information from SAS at this site:&nbsp;<A href="https://support.sas.com/en/security-bulletins.html#security-bulletins" target="_blank" rel="noopener">https://support.sas.com/en/security-bulletins.html#security-bulletins</A></P> <P>I don't see the postgres one listed. I would suggest you to raise a technical support track to get it confirmed. You can raise a track by emailing the details to <A href="mailto:support@sas.com" target="_blank" rel="noopener">support@sas.com</A></P> <P>&nbsp;</P> Tue, 03 Nov 2020 01:05:20 GMT https://communities.sas.com/t5/Administration-and-Deployment/Postgres-CVE-2020-13692/m-p/696065#M20600 AnandVyas 2020-11-03T01:05:20Z