topic Re: Whats going on with updates? in Administration and Deployment

Whats going on with updates?

epower — Tue, 15 Mar 2022 03:45:28 GMT

Am I missing a place to stay up to date on release information? I was even manually going through hotfix announcement and everything is around VIYA and not touching 9.4

Anyone have insights? This is just a sliver of the security findings I'm having to deal with and there seems to be no fixes and M8 wont be available now until the end of the year...

Path : /opt/local/sas/sas94/SASHome/SASWebServer/9.4/httpd-2.4.43/bin/httpd
Installed version : 2.4.43
Fixed version : 2.4.46

CVE-2020-11984 CVE-2020-11993 CVE-2020-9490

Path : /opt/local/sas/sas94/SASHome/SASWebServer/9.4/httpd-2.4.43/bin/httpd
Installed version : 2.4.43
Fixed version : 2.4.47

CVE-2019-17567 CVE-2020-13938 CVE-2020-13950 CVE-2020-35452 CVE-2021-26690 CVE-2021-26691 CVE-2021-30641

Re: Whats going on with updates?

Patrick — Tue, 15 Mar 2022 05:14:16 GMT

Did you already try this tool?
https://support.sas.com/en/technical-support/maintenance/hot-fixes/hot-fix-analysis-download-deployment-tool.html

Re: Whats going on with updates?

alexal — Tue, 15 Mar 2022 10:25:22 GMT

Take a look at SAS Hot Fix J8M003
https://tshf.sas.com/techsup/download/hotfix/HF2/J8M.html#J8M003

Re: Whats going on with updates?

epower — Tue, 15 Mar 2022 11:46:01 GMT

Thanks for the response.. Looks like it does help but still pretty old if that's the latest update.

Path : /opt/local/sas/sas94/SASHome/SASWebServer/9.4/httpd-2.4.43/bin/httpd
Installed version : 2.4.43
Fixed version : 2.4.52

CVE-2021-44224 CVE-2021-44790

Re: Whats going on with updates?

alexal — Tue, 15 Mar 2022 13:20:32 GMT

Contact SAS Technical Support if you have any concerns

https://www.sas.com/en_us/contact/technical-support.html

Re: Whats going on with updates?

gwootton — Tue, 15 Mar 2022 13:30:50 GMT

SAS security updates can be found here:

https://support.sas.com/en/security-bulletins.html

The "SAS Security Update for SAS 9.4 Mx" (where x is your maintenance release) specifically might be of interest to you.

Re: Whats going on with updates?

epower — Tue, 15 Mar 2022 13:35:01 GMT

This is kind of my point... If you look there you see they barely have anything.. They speak about Log4J and thats about it.

Re: Whats going on with updates?

Kurt_Bremser — Tue, 15 Mar 2022 13:42:43 GMT

In my opinion, SAS (and their partner who provides httpd and tomcat) are EXTREMELY sloppy with security-updates for apache and tomcat. These should have their own hotfix downloads and these hotfixes have to be available at max a week (or so, the quicker, the better) after issued by the Apache Foundation themselves.

We had less security hassles when we used our own http/tomcat/boss.

Re: Whats going on with updates?

gwootton — Tue, 15 Mar 2022 13:52:07 GMT

The SAS Security Update for 9.4 M7 December release addresses 32 additional CVEs to the September release.

https://support.sas.com/content/support/en/security-bulletins/SAS-security-update-for-SAS94M7-TS1M7.html